Question: How to use with AWS IAM Assumed Roles

[salt-mountain]

Hello!

I feel a bit silly asking because I'm sure the answer is staring me in the face but I've hit a wall and wanted to ask for some help because I'm not sure from the documentation alone what I might be doing wrong.

I'm trying to use iamlive to determine what the permissions are to stand up some infrastructure. I'm utilizing terragrunt to invoke several Terraform modules. I give Terragrunt a "Deployment IAM Role" that has an expanded permission set to be able to stand up resources but I'm trying to get a granular IAM document that contains the permissions that are involved. I invoke terragrunt with my local AWS user and the terragrunt.hcl has an iam_role field that it assumes without issue.

I started by invoking iamlive using

$ export AWS_CSM_ENABLED=true
$ iamlive --set-ini --background --output-file iam_output.txt
$ terragrunt run-all init

After it's done, my output document is very small.

cat iam_output.txt
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "sts:AssumeRole",
                "s3:ListBucket",
                "dynamodb:DescribeTable",
                "s3:PutObject",
                "s3:GetObject",
                "s3:GetObjectVersion",
                "ec2:DescribeVolumes",
                "ec2:DeleteVolume"
            ],
            "Resource": "*" 
        }
    ]   
}

This obviously doesn't cover everything like creating EC2s, ASGs, etc. It's basically like iamlive loses the thread once terragrunt assumes my deployment role to do the actual job of instantiating infrastructure in my AWS account.

I then tried invoking iamlive like so:

export AWS_CSM_ENABLED=true
export AWS_CA_BUNDLE=~/.iamlive/ca.pem
export AWS_CSM_HOST=127.0.0.1
export HTTP_PROXY=http://127.0.0.1:10080
export HTTPS_PROXY=http://127.0.0.1:10080

# run iamlive in proxy mode to generate the ca.pem file
iamlive --mode proxy --output-file iam_output.txt

# Stop the process and start again in the background
iamlive --set-ini --mode proxy --output-file policy.json --sort-alphabetical --bind-addr 127.0.0.1:10080 --ca-bundle ~/.iamlive/ca.pem --ca-key ~/.iamlive/ca.key --background

# Run Terragrunt
terragrunt run-all init

16:04:32.261 INFO   The stack at . will be processed in the following order for command init:
Group 1
- Module ./blah

Group 2
- Module ./blah2

Group 3
- Module ./blah3_1
- Module ./blah3_2
- Module ./blah3_3

2024/10/17 16:04:32 Enabling CSM

The problem is that it just hangs here.

Am I missing something very super obvious about how to invoke this to work with terragrunt and IAM Roles.

[iann0036]

Hey @salt-mountain,

Just checking, is this trying to be run as an unattended script? If so, the first:

# run iamlive in proxy mode to generate the ca.pem file
iamlive --mode proxy --output-file iam_output.txt

will run continuously, waiting for a kill signal before proceeding. Perhaps remove this and put a sleep 1 immediately after the backgrounded version (which will write the ca.pem file itself) if so.

Also try running this manually such that you have iamlive running in a single terminal session without environment variables and terragrunt running with the following immediately prior:

export HTTP_PROXY=http://127.0.0.1:10080
export HTTPS_PROXY=http://127.0.0.1:10080
export AWS_CA_BUNDLE=~/.iamlive/ca.pem

[salt-mountain]

Hey @iann0036 , appreciate the reply.

will run continuously, waiting for a kill signal before proceeding.

Yeah, I did kill it. I just wanted to generate the ca.pem and ca.key and that was the way I had done it.

is this trying to be run as an unattended script

So to give a little bit of a background - I'm trying to run this in an environment where we have AWS Federated Logins, aws sso, and I have a shell that I've provisioned with aws-vault to give me the proper permissions I need on the CLI. The only way I've been able to get iamlive to work, is starting it from one of those authenticated shells and sending it to the background with iamlive --set-ini --output-file iam_output.txt --background and then doing what I need to do. Having it in the foreground in one Terminal session does not result in anything happening when I'm then executing aws actions in a different terminal window, in another aws-vault authenticated shell.

Trying just those three export commands, and re-running the iamlive --mode proxy --output-file iam_output.txt in one terminal window,whether in the foreground or background results in an SSL validated failed in the second terminal window where I'm executing aws CLI commands.

[iann0036]

Hey @salt-mountain,

The SSL validated failed message probably indicates that Terragrunt or a related component has another network call that isn't respecting the AWS_CA_BUNDLE environment variable and is failing (because we're attempting to proxy all SSL traffic). If you can determine what DNS names are failing in this way with debug logging or similar, you may be able to set the NO_PROXY environment variable which may be better respected by the software.

As of now, there's no good way I know to proxy only the AWS traffic, so we unfortunately have to deal with the misdirected traffic.

[salt-mountain]

I think I goofed a little and I'm further 🤦‍♂️

I had to explicitly set the export commands in the second terminal window and I started seeing results in the first window.

But now I'm probably running into exactly what you said with calls to the Terraform registry falling into the proxy as well and timing out.

I'll keep at this a while and try to filter out with NO_PROXY

I appreciate your input! If you dont mind keeping this open for a while I'd like to (hopefully) come back reporting success and maybe some clear steps for anyone else that might run into the same issue.

[iann0036]

Yep, check out some similar issues like #53 , https://github.com/iann0036/iamlive/issues?q=no_proxy

I might make this more explicit in the README.