I've reviewed #27 but it appears that I'm having the same issue.
Here are my steps to reproduce.
First, I'm using Docker version 19.03.8 on macOS:
jeremyturner: docker --version
Docker version 19.03.8, build afacb8b
I started the following container:
docker run -it --entrypoint /bin/ash hashicorp/terraform:latest
Changed to the home folder:
Installed pip3:
echo "**** install Python ****" && \
apk add --no-cache python3 && \
if [ ! -e /usr/bin/python ]; then ln -sf python3 /usr/bin/python ; fi && \
\
echo "**** install pip ****" && \
python3 -m ensurepip && \
rm -r /usr/lib/python*/ensurepip && \
pip3 install --no-cache --upgrade pip setuptools wheel && \
if [ ! -e /usr/bin/pip ]; then ln -s pip3 /usr/bin/pip ; fi
Installed lambdaguard:
~ # pip3 install lambdaguard
~ # lambdaguard -V
2.4.1
In my case, I'm using JumpCloud as the IdP to my AWS account so I'm using a tool called SAML2AWS:
CURRENT_VERSION=2.25.0
wget https://github.com/Versent/saml2aws/releases/download/v${CURRENT_VERSION}/saml2aws_${CURRENT_VERSION}_linux_amd64.tar.gz
tar -xzvf saml2aws_${CURRENT_VERSION}_linux_amd64.tar.gz -C /bin/
chmod u+x /bin/saml2aws
Here is what the configuration looks like (small typo with the profile name):
~ # saml2aws configure -a LambdaGuardProfile
? Please choose a provider: JumpCloud
? AWS Profile LamdaGuardProfile
? URL https://sso.jumpcloud.com/saml2/aws-test-admin
? Username [email protected]
account {
URL: https://sso.jumpcloud.com/saml2/aws-test-admin
Username: [email protected]
Provider: JumpCloud
MFA: Auto
SkipVerify: false
AmazonWebservicesURN: urn:amazon:webservices
SessionDuration: 3600
Profile: LamdaGuardProfile
RoleARN:
}
Configuration saved for IDP account: LambdaGuardProfile
Now I login to the IdP to configure my .aws/credentials
file:
~ # saml2aws login -a LambdaGuardProfile
Using IDP Account LambdaGuardProfile to access JumpCloud https://sso.jumpcloud.com/saml2/aws-test-admin
To use saved password just hit enter.
? Username [email protected]
? Password ************
Authenticating as [email protected] ...
? MFA Token 000000
Selected role: arn:aws:iam::XXXXXXXXXXXX:role/Admin
Requesting AWS credentials using SAML assertion
Logged in as: arn:aws:sts::XXXXXXXXXXXX:assumed-role/Admin/[email protected]
Your new access key pair has been stored in the AWS configuration
Note that it will expire at 2020-04-09 15:10:47 +0000 UTC
To use this credential, call the AWS CLI with the --profile option (e.g. aws --profile LamdaGuardProfile ec2 describe-instances).
Here we can confirm that the credentials are stored:
~ # cat .aws/credentials
[LamdaGuardProfile]
aws_access_key_id = AKIAIOSFODNN7EXAMPLE
aws_secret_access_key = wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
aws_session_token = BLAHBLAHETCETC
aws_security_token = BLAHBLAHETCETC
x_principal_arn = arn:aws:sts::XXXXXXXXXXXX:assumed-role/Admin/[email protected]
x_security_token_expires = 2020-04-09T15:10:47Z
When I run lambdaguard it seems to work:
~ # lambdaguard -v -p LamdaGuardProfile
`.::////::.`
./osssssoossssso/.
-osss/-` .-/ssso-
`osso- .++++: -osso`
`oss/ .//oss- /sss`
+ss+ -sss. /sso
.sss` .sssso` `sss. LambdaGuard v2.4.1
-sso :ssooss+ oss-
.sss` /ss+``oss/ `sss.
+ss+ `oss/ .sss/// /sso
`oss/`.oso- -ssso+./sso`
`+sso: .` -oss+`
-osss+-.` `.-+ssso-
./osssssssssssso/.
`.-:////:-.`
Loading regions (ap-east-1)
Loading regions (ap-northeast-1)
Loading regions (ap-northeast-2)
Loading regions (ap-south-1)
Loading regions (ap-southeast-1)
Loading regions (ap-southeast-2)
<snip>
Loading identity
UserId......... AKIAIOSFODNN7EXAMPLE:[email protected]
Account........ XXXXXXXXXXX
Arn............ arn:aws:sts::XXXXXXXXXXX:assumed-role/Admin/[email protected]
[ 1/20 ] somethingsomethingFunction01
[ 1/20 ] somethingsomethingFunction02
<snip>
<snip>
Security....... 0
Triggers....... 0
Resources...... 0
Layers......... 0
Runtimes....... 0
Regions........ 0
Report......... lambdaguard_output/report.html
Log............ lambdaguard_output/lambdaguard.log
However, when I view the lambdaguard.log
I get:
[2020-04-09 14:12] [arn:aws:lambda:ap-northeast-1:XXXXXXXXXXX:function:somethingsomethingFunction01]
Traceback (most recent call last):
File "/usr/lib/python3.8/site-packages/lambdaguard/core/Lambda.py", line 63, in get_function
if self.identity.acl.allowed("lambda:GetFunction"):
File "/usr/lib/python3.8/site-packages/lambdaguard/utils/acl.py", line 97, in allowed
simulation_results = self.client.simulate_custom_policy(
File "/usr/lib/python3.8/site-packages/botocore/client.py", line 316, in _api_call
return self._make_api_call(operation_name, kwargs)
File "/usr/lib/python3.8/site-packages/botocore/client.py", line 612, in _make_api_call
http, parsed_response = self._make_request(
File "/usr/lib/python3.8/site-packages/botocore/client.py", line 632, in _make_request
return self._endpoint.make_request(operation_model, request_dict)
File "/usr/lib/python3.8/site-packages/botocore/endpoint.py", line 102, in make_request
return self._send_request(request_dict, operation_model)
File "/usr/lib/python3.8/site-packages/botocore/endpoint.py", line 132, in _send_request
request = self.create_request(request_dict, operation_model)
File "/usr/lib/python3.8/site-packages/botocore/endpoint.py", line 115, in create_request
self._event_emitter.emit(event_name, request=request,
File "/usr/lib/python3.8/site-packages/botocore/hooks.py", line 356, in emit
return self._emitter.emit(aliased_event_name, **kwargs)
File "/usr/lib/python3.8/site-packages/botocore/hooks.py", line 228, in emit
return self._emit(event_name, kwargs)
File "/usr/lib/python3.8/site-packages/botocore/hooks.py", line 211, in _emit
response = handler(**kwargs)
File "/usr/lib/python3.8/site-packages/botocore/signers.py", line 90, in handler
return self.sign(operation_name, request)
File "/usr/lib/python3.8/site-packages/botocore/signers.py", line 160, in sign
auth.add_auth(request)
File "/usr/lib/python3.8/site-packages/botocore/auth.py", line 357, in add_auth
raise NoCredentialsError
botocore.exceptions.NoCredentialsError: Unable to locate credentials
[2020-04-09 14:12] [arn:aws:lambda:ap-northeast-1:XXXXXXXXXXXX:function:somethingsomethingFunction01]
Traceback (most recent call last):
File "/usr/lib/python3.8/site-packages/lambdaguard/core/Lambda.py", line 192, in get_security
self.report(),
File "/usr/lib/python3.8/site-packages/lambdaguard/core/Lambda.py", line 216, in report
'role': self.role.arn.full,
AttributeError: 'NoneType' object has no attribute 'arn'
So I tried again but this time by creating an AWS IAM user with an Access and Secret Key:
~ # lambdaguard -v -p LamdaGuardProfile
`.::////::.`
./osssssoossssso/.
-osss/-` .-/ssso-
`osso- .++++: -osso`
`oss/ .//oss- /sss`
+ss+ -sss. /sso
.sss` .sssso` `sss. LambdaGuard v2.4.1
-sso :ssooss+ oss-
.sss` /ss+``oss/ `sss.
+ss+ `oss/ .sss/// /sso
`oss/`.oso- -ssso+./sso`
`+sso: .` -oss+`
-osss+-.` `.-+ssso-
./osssssssssssso/.
`.-:////:-.`
Loading regions (ap-east-1)
Loading regions (ap-northeast-1)
Loading regions (ap-northeast-2)
<snip>
<snip>
Loading identity
UserId......... AIDATQ2EXAMPLEBLAHETC
Account........ XXXXXXXXXXXX
Arn............ arn:aws:iam::XXXXXXXXXXXX:user/lambdaguard
[ 1/20 ] somethingsomethingFunction01
[ 1/20 ] somethingsomethingFunction02
<snip>
Lambdas........ 0
Security....... 0
Triggers....... 0
Resources...... 0
Layers......... 0
Runtimes....... 0
Regions........ 0
Report......... lambdaguard_output/report.html
Log............ lambdaguard_output/lambdaguard.log
I'm getting the same error in the logs:
[2020-04-09 14:54] [arn:aws:lambda:ap-northeast-1:XXXXXXXXXXX:function:somethingsomethingFunction01]
Traceback (most recent call last):
File "/usr/lib/python3.8/site-packages/lambdaguard/core/Lambda.py", line 63, in get_function
if self.identity.acl.allowed("lambda:GetFunction"):
File "/usr/lib/python3.8/site-packages/lambdaguard/utils/acl.py", line 97, in allowed
simulation_results = self.client.simulate_custom_policy(
File "/usr/lib/python3.8/site-packages/botocore/client.py", line 316, in _api_call
return self._make_api_call(operation_name, kwargs)
File "/usr/lib/python3.8/site-packages/botocore/client.py", line 612, in _make_api_call
http, parsed_response = self._make_request(
File "/usr/lib/python3.8/site-packages/botocore/client.py", line 632, in _make_request
return self._endpoint.make_request(operation_model, request_dict)
File "/usr/lib/python3.8/site-packages/botocore/endpoint.py", line 102, in make_request
return self._send_request(request_dict, operation_model)
File "/usr/lib/python3.8/site-packages/botocore/endpoint.py", line 132, in _send_request
request = self.create_request(request_dict, operation_model)
File "/usr/lib/python3.8/site-packages/botocore/endpoint.py", line 115, in create_request
self._event_emitter.emit(event_name, request=request,
File "/usr/lib/python3.8/site-packages/botocore/hooks.py", line 356, in emit
return self._emitter.emit(aliased_event_name, **kwargs)
File "/usr/lib/python3.8/site-packages/botocore/hooks.py", line 228, in emit
return self._emit(event_name, kwargs)
File "/usr/lib/python3.8/site-packages/botocore/hooks.py", line 211, in _emit
response = handler(**kwargs)
File "/usr/lib/python3.8/site-packages/botocore/signers.py", line 90, in handler
return self.sign(operation_name, request)
File "/usr/lib/python3.8/site-packages/botocore/signers.py", line 160, in sign
auth.add_auth(request)
File "/usr/lib/python3.8/site-packages/botocore/auth.py", line 357, in add_auth
raise NoCredentialsError
botocore.exceptions.NoCredentialsError: Unable to locate credentials
[2020-04-09 14:54] [arn:aws:lambda:ap-northeast-1:XXXXXXXXXXXX:function:somethingsomethingFunction01]
Traceback (most recent call last):
File "/usr/lib/python3.8/site-packages/lambdaguard/core/Lambda.py", line 192, in get_security
self.report(),
File "/usr/lib/python3.8/site-packages/lambdaguard/core/Lambda.py", line 216, in report
'role': self.role.arn.full,
AttributeError: 'NoneType' object has no attribute 'arn'
I thought maybe the problem was that I didn't have the AWS CLI installed so I tried that:
~ # pip install awscli
Collecting awscli
<snip>
~ # aws --version
aws-cli/1.18.39 Python/3.8.2 Linux/4.19.76-linuxkit botocore/1.15.39
However, the results are the same.
Perhaps I'm missing something simple?
Note that for the first assume role profile my IAM policy is full administrator and for the second IAM user with Access Key and Secret, the IAM policy was the AWS managed ReadOnlyAccess
IAM policy.