Comments (11)
scriptsrc
commented on September 22, 2024
1
So Aardvark seems to have the data, but there's something broken with how repokid is querying aardvark?
In repokid's config.json, what value do you have for aardvark_api_location ?
Should be something like:
"https://<aardvarkhost>/api/1/advisors"
from repokid.
scriptsrc
commented on September 22, 2024
That's weird. Does it just fail on one role or on all roles?
Were there any errors when Aardvark was updating?
If you open the AWS console and view the access advisor data for this role, what does it show?
from repokid.
royere
commented on September 22, 2024
I have some errors at the end of aardvark update, and at repokid update as well, but the aardvark database is filled with data. Here is an output of what I do (I installed aardvark & repokid on the same ec2 instance).
[ec2-user@ip-172-31-42-155 ~]$ workon aardvark
(aardvark)[ec2-user@ip-172-31-42-155 ~]$ cd aardvark/
(aardvark)[ec2-user@ip-172-31-42-155 aardvark]$ aardvark update -a [HiddenAccount]
2017-06-19 20:19:08,467 INFO: Thread #1 updating account [HiddenAccount] with all arns [in /home/ec2-user/aardvark/aardvark/manage.py:43]
2017-06-19 20:19:54,729 DEBUG: Phantom Output:
Successfully logged in
>>> Generating Report for arn:aws:iam::[HiddenAccount]:role/MyPowerUser
>>> Generating Report for arn:aws:iam::[HiddenAccount]:role/NetFlix-LeastPriviledge
>>> Generating Report for arn:aws:iam::[HiddenAccount]:role/lambda_config_execution_role
>>> Generating Report for arn:aws:iam::[HiddenAccount]:role/service-role/MyroleforLambda
>>> Generating Report for arn:aws:iam::[HiddenAccount]:role/aardvark
>>> Generating Report for arn:aws:iam::[HiddenAccount]:role/MyAdmin
>>> Generating Report for arn:aws:iam::[HiddenAccount]:role/admin
>>> Generating Report for arn:aws:iam::[HiddenAccount]:role/AwsSecurityAudit
>>> Generating Report for arn:aws:iam::[HiddenAccount]:role/RepokidRole
[Snipped some accounts]
>>> Generating Report for arn:aws:iam::[HiddenAccount]:role/GatedGardenAudit
>>> Object arn:aws:iam::[HiddenAccount]:role/MyPowerUser is not yet complete. NOT_STARTED
>>> Object arn:aws:iam::[HiddenAccount]:role/MyPowerUser is not yet complete. IN_PROGRESS
>>> Checking Job Status for 98ae6101-57df-4cd4-5e65-e7b371422604 arn:aws:iam::[HiddenAccount]:role/aardvark
>>> Checking Job Status for 0aae6101-57fd-0fc8-fb36-789c9863ba05 arn:aws:iam::[HiddenAccount]:role/GatedGardenAudit
>>> Checking Job Status for 38ae6101-57fc-b090-c253-da8fb048a162 arn:aws:iam::[HiddenAccount]:role/NetFlix-LeastPriviledge
>>> Checking Job Status for f4ae6101-5805-32c3-0e45-1abb6f555dd7 arn:aws:iam::[HiddenAccount]:role/RepokidRole
>>> Checking Job Status for c2ae6101-5801-86bc-cc95-5badecd00a51 arn:aws:iam::[HiddenAccount]:role/MyPowerUser
>>> Job Status for arn:aws:iam::[HiddenAccount]:role/aardvark is COMPLETED
>>> Checking Job Status for 48ae6101-5857-6b25-7d0d-793ce0a44b54 arn:aws:iam::[HiddenAccount]:role/lambda_config_execution_role
>>> Job Status for arn:aws:iam::[HiddenAccount]:role/NetFlix-LeastPriviledge is COMPLETED
>>> Job Status for arn:aws:iam::[HiddenAccount]:role/GatedGardenAudit is COMPLETED
>>> Checking Job Status for faae6101-586c-69cd-aa35-51265f46bb1f arn:aws:iam::[HiddenAccount]:role/service-role/config-role-eu-west-1
>>> Checking Job Status for 40ae6101-586b-121b-f0f3-732d58b1f3b4 arn:aws:iam::[HiddenAccount]:role/MyAdmin
>>> Checking Job Status for 26ae6101-5872-b86e-c311-b3f6d3548fea arn:aws:iam::[HiddenAccount]:role/service-role/MyroleforLambda
>>> Job Status for arn:aws:iam::[HiddenAccount]:role/RepokidRole is COMPLETED
>>> Job Status for arn:aws:iam::[HiddenAccount]:role/MyPowerUser is COMPLETED
>>> Checking Job Status for ecae6101-5876-f2ce-bf74-4b4dc9941531 arn:aws:iam::[HiddenAccount]:role/service-role/AmazonAppStreamServiceAccess
>>> Checking Job Status for 28ae6101-5877-ce10-5ad5-17652c68895c arn:aws:iam::[HiddenAccount]:role/AwsSecurityAudit
>>> Job Status for arn:aws:iam::[HiddenAccount]:role/lambda_config_execution_role is COMPLETED
>>> Job Status for arn:aws:iam::[HiddenAccount]:role/service-role/MyroleforLambda is COMPLETED
>>> Job Status for arn:aws:iam::[HiddenAccount]:role/service-role/config-role-eu-west-1 is COMPLETED
>>> Checking Job Status for e4ae6101-58e1-9ffd-69fa-1328dae46272 arn:aws:iam::[HiddenAccount]:role/service-role/ApplicationAutoScalingForAmazonAppStreamAccess
>>> Job Status for arn:aws:iam::[HiddenAccount]:role/MyAdmin is COMPLETED
>>> Job Status for arn:aws:iam::[HiddenAccount]:role/service-role/AmazonAppStreamServiceAccess is COMPLETED
>>> Checking Job Status for b8ae6101-58eb-deee-29f6-deec85b1bdc1 arn:aws:iam::[HiddenAccount]:role/admin
>>> Job Status for arn:aws:iam::[HiddenAccount]:role/AwsSecurityAudit is COMPLETED
>>> Job Status for arn:aws:iam::[HiddenAccount]:role/service-role/ApplicationAutoScalingForAmazonAppStreamAccess is COMPLETED
>>> Job Status for arn:aws:iam::[HiddenAccount]:role/admin is COMPLETED
[Snipped some accounts again for confidentiality]
>>> COMPLETE
[in /home/ec2-user/aardvark/aardvark/updater/__init__.py:120]
2017-06-19 20:19:54,730 DEBUG: Phantom Errors:
None [in /home/ec2-user/aardvark/aardvark/updater/__init__.py:121]
2017-06-19 20:19:54,730 INFO: PhantomJS exited: 0 [in /home/ec2-user/aardvark/aardvark/updater/__init__.py:130]
2017-06-19 20:19:54,730 INFO: Thread #1 persisting data for account [HiddenAccount] [in /home/ec2-user/aardvark/aardvark/manage.py:55]
(aardvark)[ec2-user@ip-172-31-42-155 aardvark]$ workon repokid
(repokid)[ec2-user@ip-172-31-42-155 aardvark]$ cd ../repokid/
(repokid)[ec2-user@ip-172-31-42-155 repokid]$ repokid update_role_cache [HiddenAccount]
Loaded config from /home/ec2-user/repokid/config.json
2017-06-19 20:20:42,712 INFO: Updating role data for account [HiddenAccount] [in /home/ec2-user/repokid/repokid/repokid.py:202]
100%|███████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████| 16/16 [00:04<00:00, 4.08it/s]
2017-06-19 20:20:46,833 INFO: Finding inactive accounts [in /home/ec2-user/repokid/repokid/repokid.py:208]
2017-06-19 20:20:46,842 INFO: Filtering roles [in /home/ec2-user/repokid/repokid/repokid.py:211]
2017-06-19 20:20:46,842 INFO: Loaded plugin repokid.filters.age:AgeFilter [in /home/ec2-user/repokid/repokid/repokid.py:180]
2017-06-19 20:20:46,843 INFO: Loaded plugin repokid.filters.lambda:LambdaFilter [in /home/ec2-user/repokid/repokid/repokid.py:180]
2017-06-19 20:20:46,843 INFO: Loaded plugin repokid.filters.blacklist:BlacklistFilter [in /home/ec2-user/repokid/repokid/repokid.py:180]
2017-06-19 20:20:46,843 INFO: Role aardvark created too recently to cleanup. (2017-06-16 08:55:11+00:00) [in /home/ec2-user/repokid/repokid/filters/age/__init__.py:23]
2017-06-19 20:20:46,844 INFO: Role AmazonAppStreamServiceAccess created too recently to cleanup. (2017-04-11 10:10:18+00:00) [in /home/ec2-user/repokid/repokid/filters/age/__init__.py:23]
2017-06-19 20:20:46,844 INFO: Role ApplicationAutoScalingForAmazonAppStreamAccess created too recently to cleanup. (2017-04-11 10:10:18+00:00) [in /home/ec2-user/repokid/repokid/filters/age/__init__.py:23]
2017-06-19 20:20:46,844 INFO: Role config-role-eu-west-1 created too recently to cleanup. (2017-04-04 13:44:01+00:00) [in /home/ec2-user/repokid/repokid/filters/age/__init__.py:23]
2017-06-19 20:20:46,844 INFO: Role lambda_config_execution_role created too recently to cleanup. (2017-04-04 13:39:32+00:00) [in /home/ec2-user/repokid/repokid/filters/age/__init__.py:23]
2017-06-19 20:20:46,844 INFO: Role MyAdmin created too recently to cleanup. (2017-04-06 15:51:31+00:00) [in /home/ec2-user/repokid/repokid/filters/age/__init__.py:23]
2017-06-19 20:20:46,844 INFO: Role MyPowerUser created too recently to cleanup. (2017-04-06 16:19:58+00:00) [in /home/ec2-user/repokid/repokid/filters/age/__init__.py:23]
2017-06-19 20:20:46,845 INFO: Role MyroleforLambda created too recently to cleanup. (2017-04-05 12:40:23+00:00) [in /home/ec2-user/repokid/repokid/filters/age/__init__.py:23]
2017-06-19 20:20:46,845 INFO: Role NetFlix-LeastPriviledge created too recently to cleanup. (2017-06-15 12:56:10+00:00) [in /home/ec2-user/repokid/repokid/filters/age/__init__.py:23]
2017-06-19 20:20:46,845 INFO: Role RepokidRole created too recently to cleanup. (2017-06-16 15:36:13+00:00) [in /home/ec2-user/repokid/repokid/filters/age/__init__.py:23]
2017-06-19 20:20:46,845 INFO: Role aardvark filtered by AgeFilter [in /home/ec2-user/repokid/repokid/repokid.py:223]
2017-06-19 20:20:46,845 INFO: Role AmazonAppStreamServiceAccess filtered by AgeFilter [in /home/ec2-user/repokid/repokid/repokid.py:223]
2017-06-19 20:20:46,845 INFO: Role ApplicationAutoScalingForAmazonAppStreamAccess filtered by AgeFilter [in /home/ec2-user/repokid/repokid/repokid.py:223]
2017-06-19 20:20:46,846 INFO: Role config-role-eu-west-1 filtered by AgeFilter [in /home/ec2-user/repokid/repokid/repokid.py:223]
2017-06-19 20:20:46,846 INFO: Role lambda_config_execution_role filtered by AgeFilter [in /home/ec2-user/repokid/repokid/repokid.py:223]
2017-06-19 20:20:46,846 INFO: Role MyAdmin filtered by AgeFilter [in /home/ec2-user/repokid/repokid/repokid.py:223]
2017-06-19 20:20:46,846 INFO: Role MyPowerUser filtered by AgeFilter [in /home/ec2-user/repokid/repokid/repokid.py:223]
2017-06-19 20:20:46,846 INFO: Role MyroleforLambda filtered by AgeFilter [in /home/ec2-user/repokid/repokid/repokid.py:223]
2017-06-19 20:20:46,846 INFO: Role NetFlix-LeastPriviledge filtered by AgeFilter [in /home/ec2-user/repokid/repokid/repokid.py:223]
2017-06-19 20:20:46,847 INFO: Role RepokidRole filtered by AgeFilter [in /home/ec2-user/repokid/repokid/repokid.py:223]
2017-06-19 20:20:46,847 INFO: Role lambda_config_execution_role filtered by LambdaFilter [in /home/ec2-user/repokid/repokid/repokid.py:223]
2017-06-19 20:20:46,847 INFO: Role MyroleforLambda filtered by LambdaFilter [in /home/ec2-user/repokid/repokid/repokid.py:223]
2017-06-19 20:20:46,904 INFO: Getting data from Aardvark [in /home/ec2-user/repokid/repokid/repokid.py:228]
2017-06-19 20:20:46,906 ERROR: Unable to get Aardvark data: {} [in /home/ec2-user/repokid/repokid/repokid.py:510]
Traceback (most recent call last):
File "/home/ec2-user/Envs/repokid/bin/repokid", line 9, in <module>
load_entry_point('repokid==0.5', 'console_scripts', 'repokid')()
File "/home/ec2-user/repokid/repokid/repokid.py", line 757, in main
return update_role_cache(account_number)
File "/home/ec2-user/repokid/repokid/repokid.py", line 229, in update_role_cache
aardvark_data = _get_aardvark_data(account_number)
File "/home/ec2-user/repokid/repokid/repokid.py", line 510, in _get_aardvark_data
LOGGER.error('Unable to get Aardvark data: {}').format(e)
AttributeError: 'NoneType' object has no attribute 'format'
(repokid)[ec2-user@ip-172-31-42-155 repokid]$ repokid display_role_cache [HiddenAccount]
Loaded config from /home/ec2-user/repokid/config.json
100%|██████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████| 16/16 [00:00<00:00, 163.71it/s]
(repokid)[ec2-user@ip-172-31-42-155 repokid]$ repokid repo_role [HiddenAccount] AwsSecurityAudit
Loaded config from /home/ec2-user/repokid/config.json
2017-06-19 20:21:25,460 WARNING: ARN not found in Access Advisor: arn:aws:iam::[HiddenAccount]:role/AwsSecurityAudit [in /home/ec2-user/repokid/repokid/repokid.py:571]
(repokid)[ec2-user@ip-172-31-42-155 repokid]$ repokid repo_role [HiddenAccount] MyAdmin
Loaded config from /home/ec2-user/repokid/config.json
2017-06-19 20:21:49,845 INFO: Cannot repo role MyAdmin because it is being disqualified by: [u'AgeFilter'] [in /home/ec2-user/repokid/repokid/repokid.py:567]
(repokid)[ec2-user@ip-172-31-42-155 repokid]$ repokid display_role_cache [HiddenAccount]
Loaded config from /home/ec2-user/repokid/config.json
100%|██████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████| 16/16 [00:00<00:00, 190.28it/s]
(repokid)[ec2-user@ip-172-31-42-155 repokid]$ repokid repo_role [HiddenAccount] GatedGardenAudit
Loaded config from /home/ec2-user/repokid/config.json
2017-06-19 20:22:24,979 WARNING: ARN not found in Access Advisor: arn:aws:iam::[HiddenAccount]:role/GatedGardenAudit [in /home/ec2-user/repokid/repokid/repokid.py:571]
(repokid)[ec2-user@ip-172-31-42-155 repokid]$
from repokid.
scriptsrc
commented on September 22, 2024
Will push out a fix for this one momentarily:
LOGGER.error('Unable to get Aardvark data: {}').format(e)
AttributeError: 'NoneType' object has no attribute 'format'
from repokid.
scriptsrc
commented on September 22, 2024
^ I pushed a fix to master for the AttributeError
from repokid.
scriptsrc
commented on September 22, 2024
Could you log into the AWS Console and let me know what it says for access advisor for the GatedGardenAudit role?
If the console shows access advisor, but aardvark doesn't, that's a problem.
from repokid.
royere
commented on September 22, 2024
For AwsSecurityAudit, I have multiple access to different services, for aardvark, I have access to IAM policy, GatedGardenAudit has no access. In the console. update: When I curl the aardvark api, this it consistent.
from repokid.
royere
commented on September 22, 2024
It’s definitely better with the full path ☺ I see access information when I run the display after an update.
I’ll continue with more tests later on, now I face a role permission issue which is on my side.
De : Patrick Kelley <[email protected]>
Répondre à : Netflix/repokid <[email protected]>
Date : lundi 19 juin 2017 à 23:42
À : Netflix/repokid <[email protected]>
Cc : "Royere, Julien" <[email protected]>, Author <[email protected]>
Objet : Re: [Netflix/repokid] ARN not found issue (#14)
So Aardvark seems to have the data, but there's something broken with how repokid is querying aardvark?
In repokid's config.json, what value do you have for aardvark_api_location ?
Should be something like:
"https://<aardvarkhost>/api/1/advisors"
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub<#14 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/AZQS2E8LbzGmqseWAD1m-SfpJoa8KoT9ks5sFutcgaJpZM4N-IE4>.
from repokid.
scriptsrc
commented on September 22, 2024
Great. I'll see if we can update the docs to make the format of that URL more apparent.
from repokid.
soori1s
commented on September 22, 2024
May i please know how this was fixed ?
I am facing the same issue ARN not found . In repokid's config.json, i have right aardvark_api_location.
(repokid) nil@ubuntu:~/repokid$ repokid display_role 479617910830 UC18IAMRole
Loaded config from /home/nil/repokid/config.json
INFO:botocore.credentials:Found credentials in shared credentials file: ~/.aws/credentials
Role repo data:
Name Refreshed Disqualified By Can be repoed Permissions Repoable Repoed Services
UC18IAMRole 2018-06-26T16:15:09.088160 [] True 0 0 Never 0
Policy history:
Number Source Discovered Permissions Services
0 Scan 2018-06-26T16:10:49.163802 0 []
Stats:
Date Event Type Permissions Count Disqualified By
2018-06-26 15:22:05,634 WARNING: ARN not found in Access Advisor: arn:aws:iam::479617910830:role/UC18IAMRole [in /home/nil/repokid/repokid/cli/repokid_cli.py:545]
WARNING:repokid:ARN not found in Access Advisor: arn:aws:iam::479617910830:role/UC18IAMRole
from repokid.
mcpeak
commented on September 22, 2024
@soori1s in the case for this issue it was because the Aardvark URL was not configured correctly in Repokid. In your case it looks like Aardvark database has not seen that role. Please make sure that the Aardvark update completes successfully for your account.
from repokid.
Related Issues (20)
- TypeError: 'NoneType' object does not support item assignment HOT 2
- Not showing permissions for most roles HOT 9
- "LoggerAdapter" object has no attribute "warn" HOT 1
- Suggestion: Continue to cut releases instead of pulling from master branch HOT 2
- docutils version issue HOT 4
- permission shown for all roles HOT 2
- repokid not finding modules attributes on release 0.14.0 HOT 3
- TypeError: can't compare offset-naive and offset-aware datetimes HOT 5
- When running update_role_cache - cannot import name 'TableExistsWaiter' from 'mypy_boto3_dynamodb.paginator' HOT 8
- Getting KeyError: 'RoleName' while trying to remove permissions from a role
- Validate all docstrings HOT 3
- Test coverage for Dynamo
- Pip install doesn't work HOT 2
- When rolling back, we should show which permissions got restored HOT 2
- Restore part of a role
- The table does not have the specified index: RoleName HOT 2
- KeyError: 'DisqualifiedBy' HOT 1
- ARN not found in Access Advisor HOT 5
- Support Sid based exclusion HOT 1
- Support Athena querying for CloudTrail data HOT 7
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from repokid.