Not showing permissions for most roles #225
Comments
|
Found the issue is that it only does in-line policies which AWS don't recommend - found another ticket that relates #33 |
|
Found the issue is that it only does in-line policies which AWS don't recommend - found another ticket that relates #33, it would be useful to have this clear in the documentation |
|
@jonnieb007 I had this same revelation the other day when working with Repokid/Aadvark but I believe it does state that it only works on inline policies at the very top of the Readme.
|
|
@jonnieb007 why does AWS not recommend inline policies? I believe managed policies are typically for cases where you want to attach the same policy to multiple principals in the same account. |
|
See https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#choosing-managed-or-inline "we recommend that you use managed policies instead of inline policies." We have moved to managed, could Repokid support managed polices? |
|
Yes, I believe many others are interested in supporting managed policies for Repokid right now. This is not technically difficult with Repokid's architecture. If you are interested in picking this up I'm happy to help. |
|
I’d be willing to work on this but wouldn’t mind a hand and getting started. |
|
@curtis-turner You can also see #33, I'm trying to troubleshoot this atm. Looks like there's just one of the functions that drops all managed policy info, even though it's included in the program. Check the other ticket for my contact details if you'd like to reach out as well |
|
I can help with testing but much of a programer |
When I do
repokid display_role_cache 1234567890
I have several roles but most are showing 0 permissions including AardvarkRepokid (two roles show some permissions one has 5 and another OrganizationAccountAccessRole has 5110)
When I do
repokid find_roles_with_permissions "sts:assumerole" --output=myroles.json
Loaded config from /srv/dev/repokid-master/config.json
2019-07-04 08:34:24,931 INFO: ARN arn:aws:iam::01234567890:role/OrganizationAccountAccessRole has ['sts:assumerole'] [in /srv/dev/repokid-master/repokid/cli/repokid_cli.py:518]
INFO:repokid:ARN arn:aws:iam::01234567890:role/OrganizationAccountAccessRole has ['sts:assumerole']
It only shows one role OrganizationAccountAccessRole with sts:assumerole
When I do
curl localhost:5000/api/1/advisors?phrase=AardvarkRepokid
It returns
{"lastAuthenticated":1562226360000,"lastAuthenticatedEntity":"arn:aws:iam::01234567890:role/AardvarkRepokid","lastUpdated":"Thu, 04 Jul 2019 08:31:17 GMT","serviceName":"AWS Security Token Service","serviceNamespace":"sts","totalAuthenticatedEntities":1}],"arn:aws:iam::01234567890:role/AardvarkRepokid":
And when I do it via AWS Access Advisor API
aws iam generate-service-last-accessed-details --arn arn:aws:iam::1234567890:role/AardvarkRepoKid
aws iam get-service-last-accessed-details --job-id 20b5dded-9aaa-0a64-038b-8f35b330fdf6 >> Aardvark.json
{
"LastAuthenticated": "2019-07-03T07:21:00Z",
"LastAuthenticatedEntity": "arn:aws:iam::01234567890:role/AardvarkRepokid",
"ServiceNamespace": "sts",
"ServiceName": "AWS Security Token Service",
"TotalAuthenticatedEntities": 1
}
Why is repokid not processing the information correctly from aardvark?
The text was updated successfully, but these errors were encountered: