[CloudTrail] AccountID in ARN is wrong error when used with assumed roles about aws-recon HOT 7 CLOSED

Hi @thejazzid, can you describe your environment a little more? Specifically, can you describe the steps you are taking to authenticate and assume the role? We will try to reproduce it to test.

from aws-recon.

Hi @joshlarsen sorry it took some time.
First of all thanks a lot for a tool.
Environment is little bit tricky.
But for aws_recon tool it should be not much complicated. aws_recon called from python script with specific environment variables for credentials. Here a sample of code:

    temp_env = os.environ.copy()
    temp_env['AWS_ACCESS_KEY_ID'] = credentials.access_key
    temp_env['AWS_SECRET_ACCESS_KEY'] = credentials.secret_key
    temp_env['AWS_SESSION_TOKEN'] = credentials.token
    temp_env['AWS_DEFAULT_REGION'] = master_reg
    subprocess.run(['/Users/{USERNAME}/.rvm/gems/ruby-2.6.5/bin/aws_recon', '-v', '-o', file_name, '-x',
                                 'IAM,CloudTrail,Support,CodePipeline,KMS'], env=temp_env)

Those credentials are result of assume role operation for specific role inside of specific account, with AWS managed readonly policy attached to that role.
As you can see I had to exclude some of the services, as they are failing. In general tool runs fine across most of resources and able to collect, but not all. It could be question of permissions, but errors I'm getting not specific on type of access. could be due to AWS SDK itself. But mostly strange thing about wrong account ID ARN, which I have not figured yet out.
I will continue researching with permissions and will report if any findings.

from aws-recon.

I am separating these into two different issues. The IAM issue is now in #66.

from aws-recon.

@thejazzid is the trail an organizational trail? Multi-region?

from aws-recon.

Hi @joshlarsen yes, cloudtrail is global Organization level cloudtrail.

from aws-recon.

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

from aws-recon.

I've ran into this exact issue - for reference this seems to be an inherent thing with the AWS SDK/CLI.

An account in an organisation (with the relevant CloudTrail read permissions) can call describe_trails without issue which will return whatever trail that that account logs to, but it will return errors complaining that the trail is in another account when calling specific methods like list_tags, get_event_selectors, get_trail_status etc.

There might be a workaround for this if the permissions for those are manually assigned on the org account with the trail in it, but I've worked around this in a hacky way by modifying https://github.com/joshlarsen/aws-recon/blob/main/lib/aws_recon/collectors/cloudtrail.rb to skip these additional methods if the account ID in the trail arn mismatches the current calling account ID

from aws-recon.