-
Notifications
You must be signed in to change notification settings - Fork 219
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unable to assume role #174
Comments
If I run this detonation while authenticated under an admin role, it works well:
Can you confirm the role you are using is authorized to perform |
The role has Here's the output of my get-caller-identity:
The
|
I know you said your role has |
I had to add |
What do you think we should do? Would it make sense to add |
Per AWS documentation, if you're doing role chaining and your role has the sourceIdentity set, the target role you're about to assume needs to allow the sts:sourceIdentity in the trust policy: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html#id_credentials_temp_control-access_monitor-know. I think doesn't make sense to setting it by default as it depends on your environment. Maybe just make a reference to that? |
Conversely; is there any downside to allowing |
@prsimoes c.f. #224, can you have a look and confirm it fixes your issue? I attached a Mac OS build below for your convenience https://drive.google.com/file/d/1ZZOJ9HqAIUvXbaIxKXbTmmgRHmfZF-sx/view?usp=sharing |
Yes, it fixes, however, I noticed that I have to warmup first wait a few seconds and then detonate. If I do all at once with just detonate, I get permissions issues. Looks like the permissions takes a few seconds to settle. |
Thanks. Guess it can't hurt to merge it. Thanks for reporting! |
What is not working?
On techniques that create an IAM role during warmup, I can't assume that new role. I'm running stratus with an already assumed role on my AWS account, not root. For example while looking at the IAM role that is created by https://github.com/DataDog/stratus-red-team/blob/main/v2/internal/attacktechniques/aws/credential-access/ec2-get-password-data/main.tf#L23, I get a trust relationship on the new role of :
When it should be something like:
Looking at the Terraform in https://github.com/DataDog/stratus-red-team/blob/main/v2/internal/attacktechniques/aws/credential-access/ec2-get-password-data/main.tf#L33, I couldn't find a way to reference the role name instead of the root account.
What OS are you using?
Mac OS X
What is your Stratus Red Team version?
2.4.1
Full output?
Example error message from Cloudtrail:
The text was updated successfully, but these errors were encountered: