Can't send to an S3 bucket while using a Switch Role. [Amazon] #2938
-
|
Hello, I'm trying to setup prowler to run from a central account in a container. The container is run with a Task Role and a Task Execution: ecsTaskExecutionRole, that also has the rights to switch role and s3PutObject. Then with a CMD (prowler aws -M csv -B acc1-prowler-testbucket -R arn:aws:iam::acc2:role/READONLY_REPORTING) it switches to another account with a ReadOnly role. Then the container finishes it's task, generates the .csv. But then it throws out the following error: 2023-10-17 12:53:43,982 [File: s3.py:44] [Module: s3] CRITICAL: S3UploadFailedError[41] -- Failed to upload /home/prowler/output/prowler-output-acc2-date.csv to acc1-prowler-testbucket/output/csv/prowler-output-acc2-date.csv: An error occurred (AccessDenied) when calling the PutObject operation: Access Denied Prowler can put the .csv in the acc1-prowler-testbucket when it's checking the main account. But when the switchrole is applied it errors out. So I'm assuming the prowler tries to send the file to the S3 using the ReadOnly role instead of the ecsTaskExecutionRole. Is there a way to avoid this interaction, or should I add s3 rights to the ReadOnly role, which is something i'd rather avoid. |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
|
Hi @SergeyIlievDxC, |
Beta Was this translation helpful? Give feedback.
Hi @SergeyIlievDxC,
Yes there is a flag to force Prowler to use default creds to send the reports to s3 instead of the assumed ones,
--output-bucket-no-assume.For any other questions or doubts we are always here to help, also you can check our doc (https://docs.prowler.cloud/), for example the S3 bucket integration docs are here -> https://docs.prowler.cloud/en/latest/tutorials/aws/s3/