KeyError: RoleLastUsed

[bharathkarumudi]

When I run the iamgraph --db-uri bolt://172.17.0.3:7687 run --input-dir ./ utility on one of my accounts, I encounter the below error.

• The tool processed all get-account-authorization-details JSON files of other accounts with no issues, but only with this one account; I see this error.

• The difference between all other accounts is that this is a Standalone account, whereas others are part of AWS Organization.

Modelling input files from ./ to the graph...
Traceback (most recent call last):
  File "/home/pyVenv/bin/iamgraph", line 8, in <module>
    sys.exit(cli())
             ^^^^^
  File "/home/pyVenv/lib/python3.11/site-packages/click/core.py", line 1157, in __call__
    return self.main(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/pyVenv/lib/python3.11/site-packages/click/core.py", line 1078, in main
    rv = self.invoke(ctx)
         ^^^^^^^^^^^^^^^^
  File "/home/pyVenv/lib/python3.11/site-packages/click/core.py", line 1688, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
                           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/pyVenv/lib/python3.11/site-packages/click/core.py", line 1434, in invoke
    return ctx.invoke(self.callback, **ctx.params)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/pyVenv/lib/python3.11/site-packages/click/core.py", line 783, in invoke
    return __callback(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/pyVenv/lib/python3.11/site-packages/iamgraph/cli.py", line 114, in run
    model.callback(input_dir=input_dir, clear_db=clear_db)
  File "/home/pyVenv/lib/python3.11/site-packages/click/decorators.py", line 33, in new_func
    return f(get_current_context(), *args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/pyVenv/lib/python3.11/site-packages/iamgraph/cli.py", line 66, in model
    model_gaads_to_graph(db, input_files)
  File "/home/pyVenv/lib/python3.11/site-packages/iamgraph/graph.py", line 19, in model_gaads_to_graph
    parsed_iam_details = parse_gaad(iam_details)
                         ^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/pyVenv/lib/python3.11/site-packages/iamgraph/parsing.py", line 10, in parse_gaad
    roles, account_details = parse_roles(authorization_details['RoleDetailList'], prod_accounts)
                             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/pyVenv/lib/python3.11/site-packages/iamgraph/parsing.py", line 39, in parse_roles
    role['LastUsed'] = json.dumps(role['RoleLastUsed'], indent=4)
                                  ~~~~^^^^^^^^^^^^^^^^
KeyError: 'RoleLastUsed'

[alkall]

Based on the exception, it looks that some role in the input json is missing the RoleLastUsed key. According to the AWS documentation this however should be part of the output of the get-account-authorization-details . I'm not sure if there can be some special cases where this data is missing from the output 🤔

Could you try to track the role it fails to parse in the input json? So are there roles without RoleLastUsed key? Is there anything special in those roles? Like, are they very old or do they seem to be missing something else?

[bharathkarumudi]

I verified this again, the accounts that are part of AWS Organizations have the RoleLastUsed key for every custom and AWS-managed roles. Whereas, my other account which is a standalone and non-US account does not have this key in the JSON for both AWS managed and custom roles.

I am not sure if the get-account-authorization-details works differently for (a) Standalone accounts, (b) non-US regions.