Adding docs regarding Region compatibility of session tokens for the global endpoint (AWS)

[miladbeigi]

New feature motivation

Prowler is using the global endpoint of STS for assuming roles, and this works fine when the working with regions that are enabled by default. But as stated in AWS documentation You need to change the compatibility of global endpoint to work with all regions and this option is not enabled by default in AWS.

So when using Prowler in regions that are not enabled by default you will get the invalid token error. At least this was the case for me. After changing the settings in IAM, the tokens got valid and I have no errors.

Solution Proposed

The easiest option would be to add this fact to the docs. So users can solve the issue by changing the AWS IAM settings.

Describe alternatives you've considered

Another workaround (IMHO) would be to use specific region endpoint for STS when initiating the client. This solves the problem and there is no need to change the AWS IAM settings.

sts_client = session.client("sts", aws_region)

Additional context

No response

[jfagoagas]

Hi @miladbeigi, we have the following logic to handle just that issue but maybe we're missing some use cases.

The code is as follows:

prowler/prowler/providers/aws/lib/credentials/credentials.py

Line 15 in 9832ce2

if input_regions is None or len(input_regions) == 0:

# For a valid STS GetCallerIdentity we have to use the right AWS Region
# If there is no regions passed with `-f
if input_regions is None or len(input_regions) == 0:
    # If you have a region configured in your AWS config or credentials file
    if session.region_name is not None:
        aws_region = session.region_name
    # If no region configured in your AWS config or credentials file use the AWS STS Global region
    else:
        # If there is no region set passed with -f/--region
        # we use the Global STS Endpoint Region, us-east-1
        aws_region = AWS_STS_GLOBAL_ENDPOINT_REGION
# If your input regions is not empty we use the first region passed
else:
    # Get the first region passed to the -f/--region
    aws_region = input_regions[0]

Does this logic makes sense to you? Maybe a new flag to specifically set the AWS STS region could be useful.

Thanks for using Prowler 🚀

[miladbeigi]

Hi @jfagoagas.

Yes I saw that. But I didn't test that logic. The only thing I tested was adding the region to this line.

And that solved my issue. But I don't know how you use the validate_aws_credentials() function to achieve the same thing. I couldn't find the relationship.

[jfagoagas]

Good catch, we'll check it and let you know.

Thanks!

[jfagoagas]

Hi @miladbeigi I've made a quick workaround to fix that using a new argument --sts-endpoint-region. It is available in the following branch 2583-adding-docs-regarding-region-compatibility-of-session-tokens-for-the-global-endpoint-aws, could you test it using that branch?

Example --> ./prowler.py --sts-endpoint-region eu-west-1

Thanks!

[miladbeigi]

Hi @jfagoagas. Yes I can confirm working with that branch and passing the --sts-endpoint-region solved the problem. Thanks. 🙏