Multi-Account Scan Strips Leading Zeros From Account ID
jamesrenaud opened this issue · 3 comments
I'm running a multi-account scan using the YML input format (using example account IDs for safety):
cloudsplaining scan-multi-account --config ./dist/prod-accounts.yml --role-name SecurityAuditor -o ./dist/cs-out --write-data-file
My YML is in the following format:
accounts:
sample_account: 01234567891I'm receiving an error failing to assume the role, as the Arn is missing the leading zero from the account Id:
botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam::123EXAMPLE:user[/my.user]()@mydomain.com is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::1234567891:role[/SecurityAuditor]()
As you can see, the target role has stripped 0 from 01234567891.
Here's the entire stack trace
Scanning account: sample_account (ID: 1234567891)
Traceback (most recent call last):
File "/usr/local/bin/cloudsplaining", line 33, in <module>
sys.exit(load_entry_point('cloudsplaining==0.4.10', 'console_scripts', 'cloudsplaining')())
File "/usr/local/Cellar/cloudsplaining/0.4.10/libexec/lib/python3.9/site-packages/cloudsplaining/bin/cli.py", line 34, in main
cloudsplaining()
File "/usr/local/Cellar/cloudsplaining/0.4.10/libexec/lib/python3.9/site-packages/click/core.py", line 1128, in __call__
return self.main(*args, **kwargs)
File "/usr/local/Cellar/cloudsplaining/0.4.10/libexec/lib/python3.9/site-packages/click/core.py", line 1053, in main
rv = self.invoke(ctx)
File "/usr/local/Cellar/cloudsplaining/0.4.10/libexec/lib/python3.9/site-packages/click/core.py", line 1659, in invoke
return _process_result(sub_ctx.command.invoke(sub_ctx))
File "/usr/local/Cellar/cloudsplaining/0.4.10/libexec/lib/python3.9/site-packages/click/core.py", line 1395, in invoke
return ctx.invoke(self.callback, **ctx.params)
File "/usr/local/Cellar/cloudsplaining/0.4.10/libexec/lib/python3.9/site-packages/click/core.py", line 754, in invoke
return __callback(*args, **kwargs)
File "/usr/local/Cellar/cloudsplaining/0.4.10/libexec/lib/python3.9/site-packages/cloudsplaining/command/scan_multi_account.py", line 74, in scan_multi_account
scan_accounts(
File "/usr/local/Cellar/cloudsplaining/0.4.10/libexec/lib/python3.9/site-packages/cloudsplaining/command/scan_multi_account.py", line 100, in scan_accounts
results = scan_account(
File "/usr/local/Cellar/cloudsplaining/0.4.10/libexec/lib/python3.9/site-packages/cloudsplaining/command/scan_multi_account.py", line 164, in scan_account
account_authorization_details = download_account_authorization_details(
File "/usr/local/Cellar/cloudsplaining/0.4.10/libexec/lib/python3.9/site-packages/cloudsplaining/command/scan_multi_account.py", line 183, in download_account_authorization_details
) = aws_login.get_target_account_credentials(
File "/usr/local/Cellar/cloudsplaining/0.4.10/libexec/lib/python3.9/site-packages/cloudsplaining/shared/aws_login.py", line 93, in get_target_account_credentials
acct_b = sts_client.assume_role(
File "/usr/local/Cellar/cloudsplaining/0.4.10/libexec/lib/python3.9/site-packages/botocore/client.py", line 391, in _api_call
return self._make_api_call(operation_name, kwargs)
File "/usr/local/Cellar/cloudsplaining/0.4.10/libexec/lib/python3.9/site-packages/botocore/client.py", line 719, in _make_api_call
raise error_class(parsed_response, operation_name)
@jamesrenaud - I believe this is an issue with how PyYAML reads the account ID - it reads that account as an integer, not a string.
To fix - I suggest setting your account IDs in quotes:
accounts:
sample_account: "01234567891"If that doesn't work, feel free to re-open :)
Was in the process of typing this when @kmcquade answered the same thing :)
If anyone else runs into this, I resolved it by wrapping the AWS Account ID in quotes in the YAML output.
accounts:
sample_account: '01234567891'It might be worth updating the output of cloudsplaining create-multi-account-config-file to wrap the account IDs in quotes.