Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Role Chaining with source_identity broken in v7? #1251

Open
seldon007 opened this issue Aug 5, 2024 · 0 comments
Open

Role Chaining with source_identity broken in v7? #1251

seldon007 opened this issue Aug 5, 2024 · 0 comments

Comments

@seldon007
Copy link

I have a user account that are restricted to selfservice tasks without assuming any role.
The user can assume a read-only role.
The user can assume the admin role only when assumed the read-only role.

aws-vault config:

[profile readonly]
source_identity=user
role_arn=arn:aws:iam::##########:role/user-read-only
mfa_serial=arn:aws:iam::##########:mfa/phone1

[profile admin]
source_profile=readonly
role_arn=arn:aws:iam::##########:role/user-admin

The IAM user, roles, policies have been verified by manually assuming roles using aws-cli commands, so IAM setup works.
It also works in aws-vault 6.6.1 but not in later aws-vault versions.

vault-6.6.1
Assuming readonly

~ aws-vault --debug exec readonly
2024/07/12 10:57:40 aws-vault v6.6.1
2024/07/12 10:57:40 Loading config file /home/my-name/.aws/config
2024/07/12 10:57:40 Parsing config file /home/my-name/.aws/config
2024/07/12 10:57:40 [keyring] Considering backends: [secret-service]
2024/07/12 10:57:40 profile readonly: using stored credentials
2024/07/12 10:57:40 profile readonly: using GetSessionToken (with MFA)
2024/07/12 10:57:40 profile readonly: using AssumeRole (chained MFA)
Enter MFA code for arn:aws:iam::##########:mfa/phone1: 937150
2024/07/12 10:57:51 Looking up keyring for 'readonly'
2024/07/12 10:57:51 Generated credentials ****************QTXY using GetSessionToken, expires in 59m59.503268263s
2024/07/12 10:57:51 Generated credentials ****************HI6R using AssumeRole, expires in 59m59.33296823s
2024/07/12 10:57:51 Setting subprocess env: AWS_DEFAULT_REGION=my-region, AWS_REGION=my-region
2024/07/12 10:57:51 Setting subprocess env: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY
2024/07/12 10:57:51 Setting subprocess env: AWS_SESSION_TOKEN, AWS_SECURITY_TOKEN
2024/07/12 10:57:51 Setting subprocess env: AWS_SESSION_EXPIRATION
2024/07/12 10:57:51 Exec command /usr/bin/zsh 
2024/07/12 10:57:51 Found executable /usr/bin/zsh

~ aws sts get-caller-identity
{
    "UserId": "AROA2FKWYO6QAD55HAIIB:1720774660206393035",
    "Account": "##########",
    "Arn": "arn:aws:sts::##########:assumed-role/user-read-only/1720774660206393035"
}

Assuming admin

~ aws-vault  --debug exec admin   
2024/07/12 10:58:31 aws-vault v6.6.1
2024/07/12 10:58:31 Loading config file /home/my-name/.aws/config
2024/07/12 10:58:31 Parsing config file /home/my-name/.aws/config
2024/07/12 10:58:31 [keyring] Considering backends: [secret-service]
2024/07/12 10:58:31 profile readonly: using stored credentials
2024/07/12 10:58:31 profile readonly: using GetSessionToken (with MFA)
2024/07/12 10:58:31 profile readonly: using AssumeRole (chained MFA)
2024/07/12 10:58:31 profile admin: using AssumeRole 
2024/07/12 10:58:31 Re-using cached credentials ****************QTXY from sts.GetSessionToken, expires in 59m19.003197464s
2024/07/12 10:58:32 Generated credentials ****************LIOO using AssumeRole, expires in 59m59.840799801s
2024/07/12 10:58:32 Generated credentials ****************GY45 using AssumeRole, expires in 59m59.698689313s
2024/07/12 10:58:32 Setting subprocess env: AWS_DEFAULT_REGION=my-region, AWS_REGION=my-region
2024/07/12 10:58:32 Setting subprocess env: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY
2024/07/12 10:58:32 Setting subprocess env: AWS_SESSION_TOKEN, AWS_SECURITY_TOKEN
2024/07/12 10:58:32 Setting subprocess env: AWS_SESSION_EXPIRATION
2024/07/12 10:58:32 Exec command /usr/bin/zsh 
2024/07/12 10:58:32 Found executable /usr/bin/zsh

~ aws sts get-caller-identity
{
    "UserId": "AROA2FKWYO6QDBW64CWWO:1720774711990579653",
    "Account": "##########",
    "Arn": "arn:aws:sts::##########:assumed-role/user-admin/1720774711990579653"
}

vault-7.2.0
Assuming admin role in 7.2.0 fails.
Note: the IAM policies should be correct otherwise I would get denied in aws-cli + 6.6.1

Assuming readonly

~ aws-vault --debug exec readonly
2024/07/12 11:00:42 aws-vault v7.2.0
2024/07/12 11:00:42 Using prompt driver: terminal
2024/07/12 11:00:42 Loading config file /home/my-name/.aws/config
2024/07/12 11:00:42 Parsing config file /home/my-name/.aws/config
2024/07/12 11:00:42 [keyring] Considering backends: [secret-service]
2024/07/12 11:00:42 profile readonly: using stored credentials
2024/07/12 11:00:42 profile readonly: using AssumeRole (with MFA)
2024/07/12 11:00:42 Setting subprocess env: AWS_REGION=my-region, AWS_DEFAULT_REGION=my-region
Enter MFA code for arn:aws:iam::##########:mfa/phone1: 383718
2024/07/12 11:00:52 Looking up keyring for 'readonly'
2024/07/12 11:00:52 Generated credentials ****************W6PR using AssumeRole, expires in 59m59.545738104s
2024/07/12 11:00:52 Setting subprocess env: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY
2024/07/12 11:00:52 Setting subprocess env: AWS_SESSION_TOKEN
2024/07/12 11:00:52 Setting subprocess env: AWS_CREDENTIAL_EXPIRATION
2024/07/12 11:00:52 Starting subshell /usr/bin/zsh, use `exit` to exit the subshell
2024/07/12 11:00:52 Exec command /usr/bin/zsh 
2024/07/12 11:00:52 Found executable /usr/bin/zsh

~ aws sts get-caller-identity
{
    "UserId": "AROA2FKWYO6QAD55HAIIB:1720774842460942516",
    "Account": "##########",
    "Arn": "arn:aws:sts::##########:assumed-role/user-read-only/1720774842460942516"
}

Assuming admin

~ aws-vault --debug exec admin   
2024/07/12 11:01:13 aws-vault v7.2.0
2024/07/12 11:01:13 Using prompt driver: terminal
2024/07/12 11:01:13 Loading config file /home/my-name/.aws/config
2024/07/12 11:01:13 Parsing config file /home/my-name/.aws/config
2024/07/12 11:01:13 [keyring] Considering backends: [secret-service]
2024/07/12 11:01:13 profile admin: sourcing credentials from profile readonly
2024/07/12 11:01:13 profile readonly: using stored credentials
2024/07/12 11:01:13 profile readonly: using AssumeRole (with MFA)
2024/07/12 11:01:13 profile admin: using AssumeRole 
2024/07/12 11:01:13 Setting subprocess env: AWS_REGION=my-region, AWS_DEFAULT_REGION=my-region
2024/07/12 11:01:13 Re-using cached credentials ****************W6PR from sts.AssumeRole, expires in 59m38.850033756s
aws-vault: error: exec: Failed to get credentials for admin: operation error STS: AssumeRole, https response error StatusCode: 403, RequestID: 2fc0124b-a51c-4dcc-bba5-e0f462c63803, api error AccessDenied: User: arn:aws:sts::##########:assumed-role/user-read-only/1720774842460942516 is not authorized to perform: sts:SetSourceIdentity on resource: arn:aws:iam::##########:role/user-admin
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@seldon007