Fix issue #938 assume_role multiple times @halfluke

prowler-cloud · Dec 1, 2021 · 84a6843 · 84a6843
2 parents 593c3b8 + 0b92aec
commit 84a6843
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 4 deletions.
diff --git a/include/assume_role b/include/assume_role
@@ -12,7 +12,8 @@
 # specific language governing permissions and limitations under the License.
 
 assume_role(){
-    # Both variables are mandatory to be set togethe
+    PROFILE_OPT=$PROFILE_OPT_BAK
+    # Both variables are mandatory to be set together
     if [[ -z $ROLE_TO_ASSUME || -z $ACCOUNT_TO_ASSUME ]]; then
         echo "$OPTRED ERROR!$OPTNORMAL - Both Account ID (-A) and IAM Role to assume (-R) must be set"
         exit 1
@@ -50,6 +51,8 @@ assume_role(){
             --region $REGION_FOR_STS \
             --external-id $ROLE_EXTERNAL_ID > $TEMP_STS_ASSUMED_FILE 2>&1
     fi
+    echo FILE WITH TEMP CREDS: $TEMP_STS_ASSUMED_FILE
+
     if [[ $(grep AccessDenied $TEMP_STS_ASSUMED_FILE) ]]; then
       textFail "Access Denied assuming role $PROWLER_ROLE"
       EXITCODE=1
@@ -84,6 +87,10 @@ assume_role(){
     export AWS_SECRET_ACCESS_KEY=$(cat $TEMP_STS_ASSUMED_FILE | jq -r '.Credentials.SecretAccessKey')
     export AWS_SESSION_TOKEN=$(cat $TEMP_STS_ASSUMED_FILE | jq -r '.Credentials.SessionToken')
     export AWS_SESSION_EXPIRATION=$(cat $TEMP_STS_ASSUMED_FILE | jq -r '.Credentials.Expiration | sub("\\+00:00";"Z") | fromdateiso8601')
+    echo TEMP AWS_ACCESS_KEY_ID: $AWS_ACCESS_KEY_ID
+    echo TEMP AWS_SECRET_ACCESS_KEY: $AWS_SECRET_ACCESS_KEY
+    echo TEMP AWS_SESSION_TOKEN: $AWS_SESSION_TOKEN
+    echo EXPIRATION EPOCH TIME: $AWS_SESSION_EXPIRATION
     cleanSTSAssumeFile
 }
 

diff --git a/include/aws_profile_loader b/include/aws_profile_loader
@@ -45,7 +45,8 @@ else
     PROFILE="default"
     PROFILE_OPT="--profile $PROFILE"
 fi
-
+# Backing up $PROFILE_OPT needed to renew assume_role
+PROFILE_OPT_BAK=$PROFILE_OPT
 # Set default region by aws config, fall back to us-east-1
 REGION_CONFIG=$(aws configure get region)
 if [[ $REGION_OPT ]]; then

diff --git a/prowler b/prowler
@@ -135,6 +135,7 @@ while getopts ":hlLkqp:r:c:C:g:f:m:M:E:x:enbVsSI:A:R:T:w:N:o:B:F:zZ:" OPTION; do
         ;;
      p )
         PROFILE=$OPTARG
+        AWS_PROFILE=$OPTARG
         ;;
      r )
         REGION_OPT=$OPTARG
@@ -338,6 +339,7 @@ TOTAL_CHECKS=($(echo "${TOTAL_CHECKS[*]}" | tr ' ' '\n' | awk '!seen[$0]++' | so
 get_regions() {
   # Get list of regions based on include/whoami
   REGIONS=$($AWSCLI ec2 describe-regions --query 'Regions[].RegionName' --output text $PROFILE_OPT --region $REGION_FOR_STS --region-names $FILTERREGION 2>&1)
+  echo $REGIONS
   ret=$?
   if [[ $ret -ne 0 ]]; then
     echo "$OPTRED Access Denied trying to describe regions! Review permissions as described here: https://github.com/toniblyx/prowler/#requirements-and-installation $OPTNORMAL"
@@ -397,8 +399,10 @@ execute_check() {
     # if it is less than 600 seconds, 10 minutes.
     CURRENT_TIMESTAMP=$(date -u "+%s")
     SESSION_TIME_REMAINING=$(expr $AWS_SESSION_EXPIRATION - $CURRENT_TIMESTAMP)
-    MINIMUM_REMAINING_TIME_ALLOWED="600"
-    if [[ $MINIMUM_REMAINING_TIME_ALLOWED > $SESSION_TIME_REMAINING ]]; then
+    echo SESSION TIME REMAINING IN SECONDS: $SESSION_TIME_REMAINING
+    MINIMUM_REMAINING_TIME_ALLOWED=600
+    if (( $MINIMUM_REMAINING_TIME_ALLOWED > $SESSION_TIME_REMAINING )); then
+      echo LESS THAN 10 MIN LEFT: RE-ASSUMING...
       unset AWS_ACCESS_KEY_ID
       unset AWS_SECRET_ACCESS_KEY
       unset AWS_SESSION_TOKEN
@@ -644,7 +648,9 @@ if [[ -n "${ACCOUNT_TO_ASSUME}" || -n "${ROLE_TO_ASSUME}" ]]; then
 fi
 
 # List regions
+echo REGIONS_init
 get_regions
+echo REGIONS_end
 
 # Execute group of checks if called with -g
 if [[ $GROUP_ID_READ ]];then