You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
What happened:
When the Finala Docker container is configured to assume a cross-account IAM role, the role is only assumed for reading the resources (i.e. the ReadOnlyAccess policy), but not the pricing:* actions (i.e. the AWSPriceListServiceFullAccess policy).
What you expected to happen:
The assumed role is used for all actions.
How to reproduce it (as minimally and precisely as possible):
Have two AWS accounts (I'll call them local and remote, where local has Finala deployed, and remote is the account Finala scans).
On the local account create an IAM role allow-assume-role that has just a single permission for the sts:AssumeRole action (with * as Resource to keep it simple).
On the remote account create a cross-account IAM role finala-cross-account which trusts the local account, and attach the ReadOnlyAccess and AWSPriceListServiceFullAccess policies to it.
Generate temporary credentials using the allow-assume-role role - aws sts assume-role --role-arn "arn:aws:iam::111111111111:role/allow-assume-role" --role-session-name "test-assume".
Add the temporary credentials to docker-compose.yaml:
However, errors similar to the one below can be seen when it tries to perform any pricing action:
collector_1 | time="2020-12-17T10:50:02Z" level=error msg="could not describe pricing product" error="AccessDeniedException: User: <redacted> is not authorized to perform: pricing:GetProducts\n\tstatus code: 400, request id: e3b83592-f6c8-4a71-a287-a72830d399a7" search_query="{\n Filters: [{\n Field: \"productFamily\",\n Type: \"TERM_MATCH\",\n Value: \"Kinesis Streams\"\n },{\n Field: \"group\",\n Type: \"TERM_MATCH\",\n Value: \"Provisioned shard hour\"\n },{\n Field: \"location\",\n Type: \"TERM_MATCH\",\n Value: \"US East (N. Virginia)\"\n }],\n ServiceCode: \"AmazonKinesis\"\n}"
collector_1 | time="2020-12-17T10:50:02Z" level=error msg="Could not get shard price" error="AccessDeniedException: User: <redacted> is not authorized to perform: pricing:GetProducts\n\tstatus code: 400, request id: e3b83592-f6c8-4a71-a287-a72830d399a7"
Anything else we need to know?:
The errors can be avoided if the AWSPriceListServiceFullAccess policy is attached to the allow-assume-role role instead of the finala-cross-account role. I first discovered this issue when deploying Finala using the Helm chart into an EKS cluster that runs in one of our AWS accounts, and needs to scan a number of other ("remote") accounts.
Environment:
Finala version: v0.4.0
Cloud provider or hardware configuration: AWS EKS in production, Docker 20.10.0 in local reproduction.
OS (e.g: cat /etc/os-release):
NAME="Alpine Linux"
ID=alpine
VERSION_ID=3.9.6
PRETTY_NAME="Alpine Linux v3.9"
HOME_URL="https://alpinelinux.org/"
BUG_REPORT_URL="https://bugs.alpinelinux.org/"
Kernel (e.g. uname -a): Linux 1d47d5c68b49 4.19.121-linuxkit #1 SMP Tue Dec 1 17:50:32 UTC 2020 x86_64 Linux
Install tools: docker-compose, Helm chart
Network plugin and version (if this is a network-related bug): N/A
Others: N/A
The text was updated successfully, but these errors were encountered:
What happened:
When the Finala Docker container is configured to assume a cross-account IAM role, the role is only assumed for reading the resources (i.e. the
ReadOnlyAccess
policy), but not thepricing:*
actions (i.e. theAWSPriceListServiceFullAccess
policy).What you expected to happen:
The assumed role is used for all actions.
How to reproduce it (as minimally and precisely as possible):
local
andremote
, wherelocal
has Finala deployed, andremote
is the account Finala scans).local
account create an IAM roleallow-assume-role
that has just a single permission for thests:AssumeRole
action (with*
asResource
to keep it simple).remote
account create a cross-account IAM rolefinala-cross-account
which trusts thelocal
account, and attach theReadOnlyAccess
andAWSPriceListServiceFullAccess
policies to it.allow-assume-role
role -aws sts assume-role --role-arn "arn:aws:iam::111111111111:role/allow-assume-role" --role-session-name "test-assume"
.docker-compose.yaml
:finala-cross-account
role toconfiguration/collector.yaml
:docker-compose up
.However, errors similar to the one below can be seen when it tries to perform any
pricing
action:Anything else we need to know?:
The errors can be avoided if the
AWSPriceListServiceFullAccess
policy is attached to theallow-assume-role
role instead of thefinala-cross-account
role. I first discovered this issue when deploying Finala using the Helm chart into an EKS cluster that runs in one of our AWS accounts, and needs to scan a number of other ("remote") accounts.Environment:
cat /etc/os-release
):uname -a
):Linux 1d47d5c68b49 4.19.121-linuxkit #1 SMP Tue Dec 1 17:50:32 UTC 2020 x86_64 Linux
docker-compose
, Helm chartThe text was updated successfully, but these errors were encountered: