v1.0.0-dev Lambda Client Error about pmapper HOT 7 CLOSED

The v1.0.0-dev branch pulls a list of regions to check with the following line of code (/principalmapper/graphing/lambda_edges.py).

            lambda_regions = self.session.get_available_regions('lambda')

I expected that the returned list would exclude disabled regions. I'll have to add an extra few lines of code instead. Should be fixed by 1.0.0 release.

The master branch has a hardcoded list of regions (which is not a good solution, but it prevented this issue ironically).

from pmapper.

Oooh, this smells like the issue in ScoutSuite/botocore surrounding the ap-east-1 region and regions that are disabled. I'll dig in more tonight.

from pmapper.

Could be! I haven't enabled any of the new regions on this account.

from pmapper.

I was able to reproduce with the following test script what is happening in lambda_edges.py.

import botocore.session
session = botocore.session.Session(profile='personal')
client = session.create_client('lambda', region_name='ap-east-1')
client.list_functions()

Error stack:

File "", line 1, in
File "/REDACTED_HOMEDIR/Library/Python/3.7/lib/python/site-packages/botocore/client.py", line 357, in _api_call
return self._make_api_call(operation_name, kwargs)
File "/REDACTED_HOMEDIR/Library/Python/3.7/lib/python/site-packages/botocore/client.py", line 661, in _make_api_call
raise error_class(parsed_response, operation_name)
botocore.exceptions.ClientError: An error occurred (UnrecognizedClientException) when calling the ListFunctions operation: The security token included in the request is invalid.

from pmapper.

One more comment... A bit ago I was POCing an AWS Organizations SCP that would deny any API call outside of US regions. That wouldn't explicitly disable them (which only seems to work on regions launched after March 20, 2019), but API calls would still fail.

from pmapper.

Just pushed 6046c00 to fix this in v1.0.0-dev.

from pmapper.

Works great - thank you!

from pmapper.