Cloudfox throws an AssumeRoleTokenProvider error when I use an assumed IAM role

Question

Cloudfox throws an AssumeRoleTokenProvider error when I use an assumed IAM role

Closed this issue 7 months ago · 7 comments

Description of Bug

I'm trying to call a profile with an assumed IAM role when using Cloudfox and I'm getting a 'AssumeRoleTokenProvider' error. Is there a preferred way to call an assumed role profile with Cloudfox other than what's suggested by AWS here: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html

Here is my ~/.aws/config

[profile client-cli-admin]
role_arn = arn:aws:iam::REDACTED:role/AdminRole
source_profile = client-cli-audit
mfa_serial = arn:aws:iam::REDACTED:mfa/6mile-mfa
region = ap-southeast-2

And here's my ~/.aws/credentials file:

[client-cli-audit]
aws_access_key_id = REDACTED
aws_secret_access_key = REDACTED

6mile Demo ~/projects/security-audits/client % cloudfox aws buckets --profile client-cli-admin
assume role with MFA enabled, but AssumeRoleTokenProvider session option not set.
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x18 pc=0x20cc6e3]

goroutine 1 [running]:
github.com/BishopFox/cloudfox/internal.AWSConfigFileLoader({_, _}, {_, _})
	github.com/BishopFox/cloudfox/internal/aws.go:41 +0x303
github.com/BishopFox/cloudfox/internal.AWSWhoami({0x20ce2f997, 0xf}, {0x5ea277b, 0x6})
	github.com/BishopFox/cloudfox/internal/aws.go:53 +0x45
github.com/BishopFox/cloudfox/cli.awsPreRun(0xc0002eb900?, {0x5ea0272?, 0x4?, 0x5ea0276?})
	github.com/BishopFox/cloudfox/cli/aws.go:484 +0x188
github.com/spf13/cobra.(*Command).execute(0x81604e0, {0xc0006a7a60, 0x2, 0x2})
	github.com/spf13/cobra@v1.7.0/command.go:929 +0x7d1
github.com/spf13/cobra.(*Command).ExecuteC(0x815fc40)
	github.com/spf13/cobra@v1.7.0/command.go:1068 +0x3a5
github.com/spf13/cobra.(*Command).Execute(...)
	github.com/spf13/cobra@v1.7.0/command.go:992
main.main()
	github.com/BishopFox/cloudfox/main.go:19 +0x51

My setup works when I use the AWS CLI itself and I can use the profile that assumes an IAM role, but that same thing doesn't appear to happen with Cloudfox.

6mile Demo ~/projects/security-audits/client % aws s3 ls --profile client-cli-admin
2021-09-14 13:47:02 REDACTED
2023-04-18 17:51:43 REDACTED
2022-07-22 11:30:21 REDACTED

What should the expected behavior be

I should be able to run the Cloudfox command successfully.

Steps to Reproduce

Try calling Cloudfox with an assumed role in AWS and see if it works.

Additional context

MacOS, AWS CLI version 2.0.62

Relevant screenshots

Working AWS CLI commands via assumed role:

Cloudfox errors out when I try using the same assumed role:

Answer 1 · 2023-12-06T20:54:49.000Z

Thanks for reporting this! We used source_profile and assumed roles all the time, and i just confirmed locally it works... but based on the error in your last screenshot I'm thinking that this has to do with the mfa_serial. I'm wondering if this means we're not grabbing everything we need from the AssumeRoleTokenProvider. I'll look into this. Thanks for such a detailed report.

OK yea i think i figured it out. going to push something to seth-dev in a minute

Answer 2 · 2023-12-06T21:00:49.000Z

@6mile - Can you try it again with the seth-dev branch?

git clone git@github.com:BishopFox/cloudfox.git
git checkout seth-dev 
go build .
./cloudfox aws buckets --profile client-cli-admin

Thanks!

Answer 3 · 2023-12-07T03:11:53.000Z

Heya @sethsec-bf thanks for jumpin on that! Unfortunately, I'm getting a different error now, and I'm not being prompted for MFA, but I feel like we are getting closer...

@[🦊 cloudfox v1.13.0-prerelease 🦊 ][client-cli-admin] Error retrieving credentials from environment variables, or the instance metadata service.
[🦊 cloudfox v1.13.0-prerelease 🦊 ][client-cli-admin] Could not get caller's identity

Error: operation error STS: GetCallerIdentity, failed to sign request: failed to retrieve credentials: failed to refresh cached credentials, operation error STS: AssumeRole, https response error StatusCode: 400, RequestID: 071a1a4f-04b2-43d9-b678-b88accb36cfa, api error ValidationError: 2 validation errors detected: Value 'theTokenCode' at 'tokenCode' failed to satisfy constraint: Member must have length less than or equal to 6; Value 'theTokenCode' at 'tokenCode' failed to satisfy constraint: Member must satisfy regular expression pattern: [\d]*

Answer 4 · 2023-12-13T15:08:16.000Z

@6mile - Can you give it another try with the latest code in seth-dev?

I added a new flag --mfa-token that you can use, but you can also just not use that and it should prompt you. feel free to try both and let me know how it works?

Answer 5 · 2023-12-16T06:08:19.000Z

heya @sethsec-bf that fixed it. Thanks!

Answer 6 · 2023-12-16T06:08:47.000Z

Closing issue #65

Answer 7 · 2023-12-16T06:15:24.000Z

I realized that I hadn't tested all scenarios: Not using --mfa-token and supplying the token when I'm prompted; Using the --mfa-token and supplying the MFA token as string on the command line; And finally, with no MFA.
All three appear to work, so will re-close the issue.