Querying for global resources in library mode uses the default AWS Session instead of the externalcreds configuration
Closed this issue · 0 comments
dixneuf19 commented
Hi,
I am building some tooling around this project, to clean up automatically some AWS account in our AWS Organization. For this, I used aws-go-sdk and this project as a library to
- Connect using an IAM user in our organization root account , let's call this account ROOT
- Using
OrganizationAccountAccessRole
role in children AWS account, I assume one by one this role in all children AWS accounts (A, B, C...) - Then I run
cloud-nuke
as a library into sub account one by one. Since the library usesaws-go-sdk
v1, I manually create the AWS configuration for this sub account from the result ofsts.AssumeRole
function.
Here a simplified example code:
roleARN := fmt.Sprintf("arn:aws:iam::%s:role/OrganizationAccountAccessRole", *account.Id)
sessionName := "cloud-nuker"
fmt.Printf("Assuming role %s in account %s\n", roleARN, *account.Name)
result, err := stsClient.AssumeRole(context.TODO(), &sts.AssumeRoleInput{
RoleArn: &roleARN,
RoleSessionName: &sessionName,
})
// ...
myCustomConfig := &aws_v1.Config{}
myCustomConfig.WithMaxRetries(3)
myCustomConfig.WithLogLevel(aws_v1.LogDebugWithRequestErrors)
myCustomConfig.WithCredentials(credentials_v1.NewStaticCredentials(
*result.Credentials.AccessKeyId,
*result.Credentials.SecretAccessKey,
*result.Credentials.SessionToken,
))
externalcreds.Set(myCustomConfig)
// ....
accountResources, err := nuke_aws.GetAllResources(
regions,
excludeAfter,
resourceTypes,
configObj,
allowDeleteUnaliasedKeys,
)
// ...
nukableResources := nuke_aws.ExtractResourcesForPrinting(accountResources)
fmt.Printf("The following %d AWS resources will be nuked:\n", len(nukableResources))
for _, resource := range nukableResources {
fmt.Printf(" - %s\n", resource)
}
While debugging it, I noticed that
- for regional resources (S3, EC2, etc...) the resources from children account A are listed ✔️
- for global resouces such as IAM, the resources from root account ROOT are listed ❎
I have investigated into this project source code and I think I found the bug (I'll link a PR). It seems that #326 partially implemented the support for custom config in AWS Sessions:
- Uses session from external-creds for regional resources ✔️
Line 227 in 298cd6a
- Uses another function for global resources, which dot not use the externalcreds config ❎
Line 1690 in 298cd6a
Therefore, for global resources, cloud-nuke
uses my local creds (for the root account) instead of supplied config for children accounts.
I fixed this bug on my fork, I'll send a PR right away