Specifying a different profile via the command line leads to a Frankenstein's monster of a report.

Question

Specifying a different profile via the command line leads to a Frankenstein's monster of a report.

grettir opened this issue 8 years ago · 3 comments

If you try to generate a report for a different (i.e. non-default) AWS profile using the the --profile command line option, like this…:

python ./aws-cis-foundation-benchmark-checklist.py --profile test

…you end up with a hybrid, multi-profile, Frankenstein's monster of a report.

Using the example above, the EC2-related sections of the resulting report would be based (correctly) on data from the [test] profile.

But no matter which profile you specify on the command line, the IAM- and S3-related sections of the report are always based (incorrectly) on data from the [default] profile.

Possible Explanation

I've tried digging into the code, and I think the problem is that the low-level service clients for IAM and S3 are created at the very beginning of the script, like so:

IAM_CLIENT = boto3.client('iam')
S3_CLIENT = boto3.client('s3')

But, since the script hasn't even gotten around parsing the command-line arguments yet, those two service clients are created using (and thus use) the [default] profile.

Then, much later on, the command-line arguments are parsed and the script tells boto3 to use the profile we specified on the command line as the new default:

    if not profile_name == "":
        try:
            boto3.setup_default_session(profile_name=profile_name)

…and then the EC2 service client is created using that new (correct) default profile:

    try:
        client = boto3.client('ec2')

If I manually specify the correct profile to use before the IAM and S3 service clients are created, like so:

boto3.setup_default_session(profile_name='test')
IAM_CLIENT = boto3.client('iam')
S3_CLIENT = boto3.client('s3')

…then the resulting report correctly reflects data from the [test] profile throughout.

I'm not a programmer, so that explanation could be absolute rubbish, but I've tested and retested and that's the only hypothesis I've been able to come up with that explains the behavior I'm seeing.

Answer 1 · 2017-01-24T22:13:16.000Z

Looking into this, thanks for reporting

Answer 2 · 2017-01-24T22:14:27.000Z

Thanks!

I should note that I discovered the problem because at first I wasn't able to run the script at all. It would throw a botocore.exceptions.NoCredentialsError: Unable to locate credentials error and die.

That's because I don't have a [default] profile set up in my ~/.aws/credentials file (for safety reasons). And, even though I was telling it which profile to use, the script was still trying to pull 2/3 of its data from the (non-existant) [default] profile.

Answer 3 · 2017-01-26T17:29:24.000Z

The latest push solves this since I verify if you are using a custom profile and reinitiate the global clients