After collecting the permissions which are required, being able to output that list as Markdown (preferred) and/or HTML would be handy for the documentation for the code.

Presently, a JSON-formatted IAM policy is the default. Options could be a list or table (assuming you could justify more than one column of data).

Example:

* `ec2:AuthorizeSecurityGroupEgress`
* `ec2:AuthorizeSecurityGroupIngress`
* `ec2:CreateLaunchTemplate`
* `ec2:CreateSecurityGroup`
* `ec2:DeleteLaunchTemplate`
* `iam:GetPolicy`
* `iam:GetPolicyVersion`
* `iam:GetRole`
* `iam:ListAttachedRolePolicies`
* `sts:GetCallerIdentity`

When using iamlive in conjunction with AWS GovCloud CLI/SDK calls in proxy mode, iamlive crashes when parsing the GovCloud global endpoints that have the region of "us-gov" (example: IAM, Route53)

Error:
panic: runtime error: slice bounds out of range [:7] with length 6
github.com/iann0036/iamlive/iamlivecore.subARNParameters(<sanitized>)
/Users/runner/work/iamlive/iamlive/iamlivecore/logger.go:699

Looking at https://github.com/iann0036/iamlive/blob/main/iamlivecore/logger.go#L699, it appears in the case of a global endpoint, the Region struct field is 6 chars (us-gov) and the string slice on Line 699 is expecting 7 chars. Note that this works for non-global GovCloud ARNs since they are region specific, hence start with us-gov-<region>.

It looks like all that needs to be done is to update Line 699 to the following:
if call.Region[0:6] == "us-gov" {
and this would apply to both global us-gov and non-global us-gov-<region> references.

Forgive my lack of experience with Go syntax so I could be wrong here, but it looks to be the culprit.

What is the issue?

When using iamlive with proxy mode, when trying to upload object to s3 bucket getting:

An error occurred (NotImplemented) when calling the PutObject operation: A header you provided implies functionality that is not implemented

Error code is 501 NotImplemented.

How to reproduce?

1. Normal proxy iamlive setup
2. run aws s3 cp command into a bucket with empty file

What have you tried to do?

I tried to compare the list of headers between the proxy outputs to the aws cli with --debug , overall the headers seems to be the same.
Can confirm content-length exists, the only header that was in the proxy but not in the aws cli is Accept-Encoding but it seems to be coming from the goProxy, and I saw we're not deleting it.

I also tried to run other PUT method calls like create bucket with proxy, no issues there, just when trying to upload uploads into the bucket.

Note

When trying to upload a non-empty file with the same method above (aws cli), facing different issue where it can't connect to the proxy:

Failed to connect to proxy URL: "http://127.0.0.1:10080"

We use Docker containers for pop-up development environments (e.g., as opposed to a VM). Trying to run it inside a Docker container, but since I can't open a second tab in my terminal (since the container session is tied to the terminal session), I can't follow the README instructions.

I've tried running it in the background, however, I keep ending up with the basic Action: null policy after running Terraform to standup my infrastructure, then kill $PID.

1. Since Terraform calls out to the AWS APIs, I would think that this tool could read the same things going over the wire as the AWS CLI.

2. Is there something about Docker or Alpine Linux which would prevent it from working?

Thank you for creating this amazing project! My iamlive container, running v0.49.0, is now successfully proxying aws cli requests, as proven by its stdout captured in the following docker log entry, output in response to aws sts get-caller-identity --debug --profile <myprofile>:

my-iamlive-1  | {"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":["sts:GetCallerIdentity"],"Resource":"*"}]}

..but it is not dumping this text into its --output-file, neither at graceful exit nor on SIGHUP.

The iamlive container is based on this one, and executes iamlive in its entrypoint as:

    /app/iamlive \
        --output-file ${IAMLIVE_SHARED_PATH}/iamlive.log \
        --mode proxy \
        --bind-addr 0.0.0.0:10080 \
        --ca-bundle ${IAMLIVE_SHARED_PATH}/ca.pem \
        --ca-key ${IAMLIVE_SHARED_PATH}/ca.key \
        | jq -c .

The ${IAMLIVE_SHARED_PATH} folder (actually is /home/appuser/.iamlive) is the container mount point for a named docker volume that is shared with another "client container" that is being monitored for AWS api calls. Below is the relevant excerpt from the docker compose config that orchestrates these two containers.

services:
  main:
    environment:
      - IAMLIVE_SHARED_PATH=${IAMLIVE_SHARED_PATH}
    .
    .
    .
    build:
      args:
        - IAMLIVE_SHARED_PATH=${DEFAULT_CONTAINER_HOME}/${IAMLIVE_SHARED_FOLDER}
    .
    .
    .
    # Ensure iamlive container is run before main
    depends_on:
      - "iamlive"
    volumes:
      - "dot-iamlive:${DEFAULT_CONTAINER_HOME}/${IAMLIVE_SHARED_FOLDER}:rw"
  iamlive:
    environment:
      - IAMLIVE_SHARED_PATH=${IAMLIVE_SHARED_PATH}
    .
    .
    .
    build:
      args:
        - IAMLIVE_SHARED_PATH=${IAMLIVE_SHARED_PATH}
    .
    .
    .
    user: "${HOST_UID}:${HOST_GID}"
    expose:
       - "${IAMLIVE_LISTENER_HTTP_HTTPS_PORT}"
    volumes:
      - "dot-iamlive:${IAMLIVE_SHARED_PATH}:rw"
volumes:
  dot-iamlive:

(All I've removed from the above are many superfluous and noisy variable definitions.)

Mutual access to the shared volume has already been proven working correctly, since:

1. the IAMLIVE_SHARED_PATH mount point in the iamlive container is where iamlive dumps the required ca.pem and ca.key files and
2. the IAMLIVE_SHARED_PATH mount point in the main (client) container is where the client application instructs the AWS CLI to read the certificate bundle from, using:

export AWS_CA_BUNDLE=${IAMLIVE_SHARED_PATH}/ca.pem

As mentioned at the top, I've also proven that this scheme of two applications/containers is working in terms of networking and application configuration. The iamlive proxy is receiving the sts get-caller-identity request and dumping to stdout a policy document correctly containing a sts:GetCallerIdentity action.

The issue

I've yet to see a iamlive.log file get dumped.

Use case 1: iamlive exits

At first, I had the main container sleep several seconds after the successful aws sts get-caller-identity transaction, and then exit. Because main depends_on iamlive, main is stopped first, then iamlive. Here, I expected that the iamlive application would be sent and would catch SIGTERM, and then run this code to write (and flush??) GetPolicyDocument()'s return value to the outputFileFlag. Since the file path being written is in a mounted folder backed by docker volume on the host, if this file got written, I expected that to persist until the next container run. (There is nothing in this system that deletes files in that shared volume folder.)

Use case 2: SIGHUP

Next, I modified the project to enable the client application running in the main container to send UNIX process signals to other containers, specifically so that it could send SIGHUP to the iamlive container as a way to force it to dump the policy to disk before exiting. For the curious, this required:

1. sharing with main the path to the host's docker daemon socket via a host docker volume, and
2. ensuring the user in main has the correct permissions to access that socket, and
3. POSTing to this socket at the URL http://localhost/containers/<target_container_id>/kill?signal=SIGHUP

When testing this, however, everything worked just fine (the POST gets a 204 No Content response, which is the expected "successful" result for this api call), except that the iamlive.log file did not get dumped. I confirmed that the I was using the correct docker daemon api and that I was using the correct target_container_id by removing the ?signal=SIGHUP part of the URL which sends SIGKILL by default, and when running observing the iamlive container exiting immediately after the request POSTed from the client application running in the main container.

Summary

So, this feels like a bug, but I could also use some help in troubleshooting this from the iamlive side, so please send me any ideas you have on troubleshooting techniques for this app. I've not seen any debugging or verbose mode, nor have I looked at the source code much yet, but I am now stumped and receptive to any help. I realize that this usage mode is unusual -most people seem to be monitoring AWS cli activity from the host system instead of from another container - but this is why I explained myself so thoroughly. Still, let me know if you need any more info to help.

Thanks again for creating this amazing project!

Removing the slash fixed my issue.

This is my terraform run after for clarity:

 ~ Resource = "arn:aws-us-gov:iam::12345678:role//server-test" -> "arn:aws-us-gov:iam::12345678:role/server-test"

When I run terraform apply as an admin, it works with 0 changes. When I apply the generated policy to a new user, I get ... is not authorized to perform: elasticloadbalancing:DescribeTags

Adding this fixes my issue:

~ Action   = [
                            # (14 unchanged elements hidden)
                            "elasticloadbalancing:DescribeListeners",
                          + "elasticloadbalancing:DescribeTags",
                        ]

I saw some chatter on an issue that this can be updated in iamlivecore/map.json, but didn't follow enough to submit a pull. Happy to do so with some guidance.

using azure as github security provider my config file contains blocks in the format

[profile <profile_name>]
azure_tenant_id              = <uuid>#<aws_account_id>
azure_app_id_uri             = https://signin.aws.amazon.com/samlazure_default_username=<my user @ name.com>
azure_default_role_arn       = <role arn>

but running set-ini reformats all these blocks to something like

[profile <profile_name>]
azure_tenant_id              = <uuid>
#<aws_account_id>
azure_app_id_uri             = https://signin.aws.amazon.com/samlazure_default_username              = <my user @ name.com>
azure_default_role_arn       = <role arn>

the hash is taken to be a comment and moved to another line and the app id is exploded to make the equals symbols from each profile line up.

This causes the file to be unusable.

I am currently trying to get iamlive in proxy mode working with localstack, but I am having a problem. I think it has something to do with aws endpoint url and from what I can tell I can't figure out how to set that for iamlive to pickup.

I am just curious if anyone has gotten this working or is there a setting I am overlooked?

Hi,

I have a GitHub Actions workflow which essentially does this:

1. starts iamlive
2. runs terraform (with overly permissive permissions so it runs to completion)
3. stop iamlive with a SIGTERM

I have noticed that if I stop iamlive as soon as the terraforming has completed, then the iamlive output file does not have all the permissions in the file that it has used for the terraforming - as it seems iamlive takes an unknown amount of time to fully populate that file.

So I have set a wait of 60 secs after the terraforming and before I stop iamlive.

Is 60 secs a reasonable time to wait, or should it be longer/shorter in duration?

Thanks.

I am trying out a simple setup.
I have downloaded the latest 0.45 version executable for Windows and running

iamlive --set-ini

In another terminal, I am running

aws s3api list-buckets

Aws returns a list of buckets that I have in the account, but nothing is outputted in iamlive terminal.

I have tried this out on both Windows 10 and 11 with personal and work accounts.

Requesting an option to run silently (i.e., no writing to stdout). This would require the use of --output-file (otherwise, it wouldn't make sense).

Hi I'd like to use this tool with Pulumi https://www.pulumi.com/, but when I run it it doesnt seem to populate anything. I believe its based on Terraform.

Hi,

I am trying to run iamlive as part of a GitHub Actions workflow. Everything is fine except one important detail, for some reason GitHub Actions does not seem to kill the iamlive process when I send kill -SIGHUP.

I also tried SIGTERM and SIGQUIT but to no avail.

The only thing that kills the process is SIGKILL but that means I do not get an output file produced.

This seems to be some odd behaviour with either the GitHub Actions (I am using a GitHub hosted ubuntu runner).

Would it be possible for iamlive to be updated so it can write to the file while it is running, so there is no need to killl the process before the file is available?

Thanks.

Hi, great tool!
I am looking to use this in a slightly "advanced" use case.
Due to different constraints and friction, I want to enable running this as a remote service and session aware.

Remote Service:

• Deploy this as a remote UDP server with support for k8s.
• Similar to the output flag functionality store policies in files.
• Expose HTTP endpoint to view generated policies based on the file name created

Session Aware:
The idea is that to support multiple clients the service needs to:

• Know which request belongs to which client and split it into logical partitions per client.
• Context/Partitions can be extracted from things like the AccessKey ID / User-agent/ Source IP+Port. It is also possible to get the actual IAM user name from the access key id.
• Merge session policies to one: Since a session can contain more than 1 request maybe merge all the policies into one to simplify operations.

A Real-life use case example:

• A developer that runs a pipeline of spark jobs running in Airflow orchestrator.
• The spark job uses the spark SDK to make several calls to AWS services behind the scenes in one single spark function.
• The developer receives a "permission denied" error but not sure what permission they need and where is the problem exactly since the direct API calls are abstracted.

The goal is to troubleshoot minimize the time it takes to troubleshoot and support the least privilege principle.
So this would be solved really quickly, the developer would add the required environment variables to the spark job and rerun it.

Then the developer would go to the iamlive HTTP endpoint URL and find his session details with the policy created.

I have several ideas of how this could be implemented and would love to help!

If this is something you can consider adding Id love to talk more about it and elaborate.

Just ran brew upgrade this morning and got a bunch or warnings I'd not seen before.

➜ brew upgrade
Updating Homebrew...
==> Auto-updated Homebrew!
Updated 2 taps (homebrew/core and homebrew/cask).
==> Updated Formulae
Updated 17 formulae.
==> New Casks
topnotch
==> Updated Casks
Updated 2 casks.
Warning: Calling bottle :unneeded is deprecated! There is no replacement.
Please report this issue to the iann0036/iamlive tap (not Homebrew/brew or Homebrew/core):
  /usr/local/Homebrew/Library/Taps/iann0036/homebrew-iamlive/iamlive.rb:9


Warning: Calling bottle :unneeded is deprecated! There is no replacement.
Please report this issue to the iann0036/iamlive tap (not Homebrew/brew or Homebrew/core):
  /usr/local/Homebrew/Library/Taps/iann0036/homebrew-iamlive/iamlive.rb:9

It would be great if future releases would include at a minimum some checksums so I can compare the release against the checksum to verify I downloaded the binary I thought to be downloading.

Another step would be to also add signatures.

See https://github.com/philips-labs/slsa-provenance-action/releases for a project that applies these things on the released assets.

See the github actions workflow on how the checksums and signatures are added.

Hi, I'm trying to use IAM live to validate permissions in terraform that builds AWS EKS environment and sets up OIDC. It was working great until it got to the OIDC stuff and then failed with the below error.

Error:

 Error: Failed to identify fetch peer certificates
 
   with data.tls_certificate.shared-services_tls,
   on eks.tf line 22, in data "tls_certificate" "shared-services_tls":
   22: data "tls_certificate" "shared-services_tls" {
 
 failed to fetch certificates from URL 'https': Get
 "https://oidc.eks.us-east-1.amazonaws.com:443/id/3DDFA9B63C55CAF000453A371F8C30CB": x509: “iamlive CA” certificate is not
 trusted

Before failing it output this policy perfect 👍

{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":["s3:ListAllMyBuckets","s3:ListBucket","sts:GetCallerIdentity","iam:CreatePolicy","iam:CreateRole","ec2:CreateManagedPrefixList","ec2:CreateSecurityGroup","ec2:CreateSubnet","ec2:CreateTags","iam:GetPolicy","iam:AttachRolePolicy","iam:GetPolicyVersion","iam:GetRole","ec2:DescribeManagedPrefixLists","ec2:DescribeSecurityGroups","ec2:DescribeSubnets","iam:ListRolePolicies","iam:ListAttachedRolePolicies","iam:CreateInstanceProfile","ec2:ModifySubnetAttribute","iam:GetInstanceProfile","ec2:GetManagedPrefixListEntries","iam:AddRoleToInstanceProfile","iam:PassRole","ec2:RevokeSecurityGroupEgress","ec2:AuthorizeSecurityGroupIngress","ec2:AuthorizeSecurityGroupEgress","eks:CreateCluster","eks:DescribeCluster","eks:CreateAddon","eks:CreateNodegroup","eks:DescribeAddon","eks:DescribeNodegroup"],"Resource":"*"}]}

Using Terraform to create api gateway resources I noticed that none of the actions were being logged in the iamlive policy.

Confirmed it on my end using the CLI with aws --region ap-southeast-2 apigateway get-rest-apis
Other CLI calls such as aws sts get-caller-identity do work in the same iamlive session.

This is the iamlive command being used:
iamlive --set-ini --profile default --mode proxy

Hello - I am trying to setup iamlive on AWS ec2 but after running go install in the base folder I get this error saying command is not found:

[ec2-user@ip-172-31-54-119 ~]$ iamlive
-bash: iamlive: command not found

Steps to install:

1. Install go
   sudo yum install go
2. verify go version

[ec2-user@ip-172-31-54-119 ~]$ go version
go version go1.18.9 linux/amd64

3. git clone and install repo

git clone <repo>
cd iamlive
go install

I've tried restarting the ssh session but it doesn't seem to pick up the iamlive command still. Any thoughts?

Hi,

I am trying to make a POC with iamlive, it seems that somehow iamlive proxy results in aws cli hanging on most of the operations.

I have set up env variables as per documentation; iamlive seems to correctly intercept calls:

However, the terminal with aws command hangs without any output. So I have run it with debug mode. It seems to be requests stops at and retries:

2022-03-08 22:49:04,436 - MainThread - urllib3.connectionpool - DEBUG - Starting new HTTPS connection (3): s3.eu-central-1.amazonaws.com:443

Full logs below:

GET
/

host:s3.eu-central-1.amazonaws.com
x-amz-content-sha256:/hidden/
x-amz-date:20220308T204904Z

host;x-amz-content-sha256;x-amz-date
/hidden/
2022-03-08 22:49:04,434 - MainThread - botocore.auth - DEBUG - StringToSign:
AWS4-HMAC-SHA256
20220308T204904Z
20220308/eu-central-1/s3/aws4_request
/hidden/
2022-03-08 22:49:04,436 - MainThread - botocore.auth - DEBUG - Signature:
/hidden/
2022-03-08 22:49:04,436 - MainThread - botocore.endpoint - DEBUG - Sending http request: <AWSPreparedRequest stream_output=False, method=GET, url=https://s3.eu-central-1.amazonaws.com/, headers={'User-Agent': b'aws-cli/2.4.18 Python/3.8.8 Windows/10 exe/AMD64 prompt/off command/s3api.list-buckets', 'X-Amz-Date': b'20220308T204904Z', 'X-Amz-Content-SHA256': /hidden/', 'Authorization': b'AWS4-HMAC-SHA256 Credential=/hidden//20220308/eu-central-1/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=/hidden/'}>
2022-03-08 22:49:04,436 - MainThread - urllib3.connectionpool - DEBUG - Starting new HTTPS connection (3): s3.eu-central-1.amazonaws.com:443
2022-03-08 22:50:07,102 - MainThread - botocore.hooks - DEBUG - Event needs-retry.s3.ListBuckets: calling handler <bound method RetryHandler.needs_retry of <botocore.retries.standard.RetryHandler object at 0x0000028AD3E5FB50>>
2022-03-08 22:56:00,193 - MainThread - botocore.retries.standard - DEBUG - Max attempts of 3 reached.
2022-03-08 22:56:00,224 - MainThread - botocore.retries.standard - DEBUG - Not retrying request.
2022-03-08 22:56:00,225 - MainThread - botocore.hooks - DEBUG - Event needs-retry.s3.ListBuckets: calling handler <bound method S3RegionRedirector.redirect_from_error of <botocore.utils.S3RegionRedirector object at 0x0000028AD3E5FBB0>>
2022-03-08 22:56:00,225 - MainThread - awscli.clidriver - DEBUG - Exception caught in main()
Traceback (most recent call last):
  File "urllib3\connectionpool.py", line 449, in _make_request
  File "<string>", line 3, in raise_from
  File "urllib3\connectionpool.py", line 444, in _make_request
  File "http\client.py", line 1347, in getresponse
  File "http\client.py", line 307, in begin
  File "http\client.py", line 268, in _read_status
  File "socket.py", line 669, in readinto
  File "ssl.py", line 1241, in recv_into
  File "ssl.py", line 1099, in read
socket.timeout: The read operation timed out

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "awscli\botocore\httpsession.py", line 344, in send
  File "urllib3\connectionpool.py", line 785, in urlopen
  File "urllib3\util\retry.py", line 525, in increment
  File "urllib3\packages\six.py", line 770, in reraise
  File "urllib3\connectionpool.py", line 703, in urlopen
  File "urllib3\connectionpool.py", line 451, in _make_request
  File "urllib3\connectionpool.py", line 340, in _raise_timeout
urllib3.exceptions.ReadTimeoutError: AWSHTTPSConnectionPool(host='s3.eu-central-1.amazonaws.com', port=443): Read timed out. (read timeout=60)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "awscli\clidriver.py", line 459, in main
  File "awscli\clidriver.py", line 594, in __call__
  File "awscli\clidriver.py", line 770, in __call__
  File "awscli\clidriver.py", line 901, in invoke
  File "awscli\clidriver.py", line 913, in _make_client_call
  File "awscli\botocore\client.py", line 281, in _api_call
  File "awscli\botocore\client.py", line 595, in _make_api_call
  File "awscli\botocore\client.py", line 615, in _make_request
  File "awscli\botocore\endpoint.py", line 102, in make_request
  File "awscli\botocore\endpoint.py", line 156, in _send_request
  File "awscli\botocore\endpoint.py", line 200, in _do_get_response
  File "awscli\botocore\endpoint.py", line 269, in _send
  File "awscli\botocore\httpsession.py", line 379, in send
botocore.exceptions.ReadTimeoutError: Read timeout on endpoint URL: "https://s3.eu-central-1.amazonaws.com/"

Read timeout on endpoint URL: "https://s3.eu-central-1.amazonaws.com/"

Command: aws s3api list-buckets
OS: Windows 11

As the title says, we're getting this error when using iamlive, but only in proxy mode.

We're setting up AWS infrastructure via Terraform and the same code works just fine with iamlive in CSM mode.

I've noticed this error when working with DynamoDB resources, like tables. This simple configuration is enough to trigger it.

resource "aws_dynamodb_table" "dummy" {
  name = "dummy-iamlive-table"
  hash_key = "id"

  billing_mode = "PAY_PER_REQUEST"

  attribute {
    name = "id"
    type = "S"
  }
}

The complete error given by Terraform is:

Error: error creating DynamoDB Table: InvalidSignatureException: The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.

If it helps, we're running:

• go version go1.16.3 linux/amd64
• aws-cli/2.1.15 Python/3.7.3 Linux/5.11.11-200.fc33.x86_64 exe/x86_64.fedora.33 prompt/off
• Terraform v0.14.8 + provider registry.terraform.io/hashicorp/aws v3.39.0

I've used this tutorial as well, hoping to isolate iamlive from my local environment: https://dev.to/unfor19/determining-aws-iam-policies-according-to-terraform-and-aws-cli-27md

Could anyone point us in the right direction ?
Is there something that I'm doing wrong ?

By default, this tool runs in the foreground and prints data to stdout.

It would be nice to enable a proper background/detached mode, which:

1. Runs in the background.
2. When run in the background, it returns its PID.
3. Implies the use of -output-file.
4. Background mode would not write to stdout.

That would let me do something like this:

ACCOUNT_ID=$(aws sts get-caller-identity | jq -Mr '.AccountId')

IAMLIVE_PID=$(
    iamlive \
        --detached \
        --mode proxy \
        --output-file policy.json \
        --refresh-rate 1 \
        --sort-alphabetical \
        --bind-addr 127.0.0.1:10080 \
        --ca-bundle ~/.iamlive/ca.pem \
        --ca-key ~/.iamlive/ca.key \
        --account-id "$ACCOUNT_ID"
)

AWS_CSM_ENABLED=true
HTTP_PROXY=http://127.0.0.1:10080
HTTPS_PROXY=http://127.0.0.1:10080
AWS_CA_BUNDLE=~/.iamlive/ca.pem

terraform apply -auto-approve
terraform destroy -auto-approve

kill "$IAMLIVE_PID"

It also means that policy.json would need to be written even if a SIGKILL is received. (If there's a different signal that should be sent, documenting it would be valuable.)

In our org we use a proxy for all external requests. Other than AWS endpoints, there is no direct access to public internet. We have system wide proxies - and excludes for AWS stuff - configured, which looks like this:

HTTP_PROXY="http://example.com:8080"
HTTPS_PROXY="http://example.com:8080"
NO_PROXY="127.0.0.1,169.254.169.254,169.254.170.2,localhost,amazonaws.com,amazon.com"

Now we have a use case where we need to run calls to AWS and other domains from the same process. When we point the proxy to the iamlive proxy, other requests fail. So it's impossible to record the actions with iamlive.

I tried to set a proxy for iamlive itself but it looks like it is ignored.

HTTP_PROXY="http://example.com:8080" \
HTTPS_PROXY="http://example.com:8080" \
NO_PROXY="127.0.0.1,169.254.169.254,169.254.170.2,localhost,amazonaws.com,amazon.com" \
iamlive --mode proxy --bind-addr "0.0.0.0:10080"

When I run a process with proxy environment pointed to http://127.0.0.1:10080 it can only talk to AWS.

Is this a user error or currently not supported?

Hello

I've downloaded the binary for mac iamlive-v0.18-darwin-amd64.tar.gz and:

1. It does not work
2. It broke my aws CLI. Every command that I execute using CLI ends with 'str' object has no attribute 'get' - that's the whole output, the command is not executed at all.

Hey, this utility looks like just the thing I want to narrow down permissions needed for CI users to have the ability to run CDK commands.

I'm giving the utility a go now and I'm wondering if I should be getting output or not?

I'm doing

iamalive --set-ini --profile <my-profile>

And

cdk diff

But getting no output at the moment

Running this command:

$ iamlive --profile default

on version v0.12/iamlive-v0.12-linux-amd64.tar.gz with the AWS_CSM_ENABLED=true environment variable set in the window where I'm doing my calls results in the following segfault and trace:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ssm:GetParametersByPath",
                "cloudformation:DescribeStacks",
                "sts:AssumeRole",
                "resource groups tagging api:GetResources",
                "cloudformation:GetTemplate",
                "cloudformation:DeleteStack",
                "iam:ListRolePolicies",
                "iam:DeleteRolePolicy",
                "iam:DeleteRole",
                "ssm:DeleteParameter"
            ],
            "Resource": "*"
        }
    ]
}
panic: runtime error: index out of range [1] with length 1

goroutine 1 [running]:
main.getDependantActions(0xc0000d0080, 0x2, 0x2, 0xd, 0xc0000d0080, 0x2)
        /github/workspace/main.go:275 +0x6dd
main.getPolicyDocument(0xc0005c20d8, 0x16, 0x5)
        /github/workspace/main.go:178 +0x3ca
main.writePolicyToTerminal()
        /github/workspace/main.go:221 +0x4e
main.handleLoggedCall(...)
        /github/workspace/main.go:212
main.listenForEvents()
        /github/workspace/main.go:159 +0x453
main.main()
        /github/workspace/main.go:360 +0x8b

It doesn't seem like the oddly formatted "resource groups tagging api" action is the culprit. I am unfortunately unsure what call I made immediately before this fault, as I was testing out this tool to discover the actual IAM calls made by a different CLI. Some possibilities are Secrets Manager, CodePipeline, and S3.

Would like to have an option to intentionally focus more on the actions than the resources, regardless of which mode its running in.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:AuthorizeSecurityGroupEgress",
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:CreateLaunchTemplate",
                "ec2:CreateSecurityGroup",
                "ec2:DeleteLaunchTemplate",
                "ec2:DeleteSecurityGroup",
                "ec2:DescribeAccountAttributes",
                "ec2:DescribeImages",
                (…snip…)
                "iam:ListInstanceProfilesForRole",
                "iam:ListPolicyVersions",
                "iam:ListRolePolicies",
                "iam:PassRole",
                "iam:RemoveRoleFromInstanceProfile",
                "sts:GetCallerIdentity"
            ],
            "Resource": "*"
        }
    ]
}

I'm testing iamlive in proxy mode against an app that is calling the lambda.DeleteFunction() API and getting the following error:

https response error StatusCode: 403, RequestID: 2dfd38a6-d5ec-4fd9-8a9f-aab7abd2f382, api error UnrecognizedClientException: The security token included in the request is invalid

I got a similar error calling CreateRole...

operation error IAM: CreateRole, https response error StatusCode: 403, RequestID: 044e8cbe-69cb-4d4c-89b5-1786486f6ae4, api error InvalidClientTokenId: The security token included in the request is invalid

What am I doing wrong?

When retrieving a secret value the output for the resource ARN will be doubled like so:
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetResourcePolicy",
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret"
],
"Resource": "arn:aws:secretsmanager:eu-central-1:XXX:secret:arn:aws:secretsmanager:eu-central-1:XXX:secret:*"
}
Used command:
iamlive --set-ini --account-id "XXX" --mode proxy --output-file cicd-policy.json --sort-alphabetical

Hi @iann0036 , awesome tool to begin with and thanks for sharing with the community.
One thing I noticed is that when I run iamlive locally it generates the key pair in my home directory and works fine. But when I run it in a CICD pipeline in a container, it does not generate the certificates by default. I tried looking for them under the root home directory (the container runs under root user) and cant find them. Not sure why the behaviour is different. Would appreciate any pointers!

I have a work around where I download the keys on the fly but would like to avoid downloading them if possible.
Thanks

Hi There,

I may be way off here but I'm attempting to use the proxy mode & we have an AWS S3 backend... when I run the following configurations:

(application console)

export HTTP_PROXY=http://127.0.0.1:10080
export HTTPS_PROXY=http://127.0.0.1:10080
export AWS_CA_BUNDLE=~/.iamlive/ca.pem
export NO_PROXY=sts.amazonaws.com,registry.terraform.io

I'm seeing the following issue:

Initializing the backend...
╷
│ Error: error configuring S3 Backend: no valid credential sources for S3 Backend found.
│ 
│ Please see https://www.terraform.io/docs/language/settings/backends/s3.html
│ for more information about providing credentials.
│ 
│ Error: RequestError: send request failed
│ caused by: Post "https://sts.amazonaws.com/": x509: certificate signed by unknown authority

Now this could be because we are using a specific AWS account for our backend, then a different account for our resources (like admin/dev) so maybe there's an issue there?

I did try this as an option during setup:
(listening console)

iamlive --set-ini --mode proxy --output-file policy.json --refresh-rate 1 --sort-alphabetical --bind-addr 127.0.0.1:10080 --ca-bundle ~/.iamlive/ca.pem --ca-key ~/.iamlive/ca.key --account-id 123456789012,987654321098 --force-wildcard-resource

or

iamlive --set-ini --mode proxy --profile adminaccount,devaccount --output-file policy.json --refresh-rate 1 --sort-alphabetical --bind-addr 127.0.0.1:10080 --ca-bundle ~/.iamlive/ca.pem --ca-key ~/.iamlive/ca.key --account-id 123456789012,987654321098 --force-wildcard-resource

(account ids made generic)
I did omit --profile & --account-id in multiple attempts & tried adding them in others but still nothing.

or am I doing something really wrong here?

Would it be feasible to populate the Resource field with the appropriate value? An example would be the S3 bucket name and object key for the s3:GetObject action.

A useful side effect here is that it'd be necessary to split the policy into multiple statements, grouped by resource. (Since it is unlikely that resource specifiers are shared between services, you effectively also get grouping by service.)

Motivation: It is often desirable to design a least-privilege policy, where only the necessary resources are allowed. An example would be s3:GetObject, where the bucket and object would be part of the ARN in the Resource specifier. A user would be free to reduce the specificity of the resources after, by replacing suffixes with wildcards, etc.

Hey there 😄 - Been here before with CDK related questions!

I've got a Golang CLI which makes calls with the Go AWS SDK...

With a terminal window with:

iamlive --set-ini

And another window with:

AWS_CSM_ENABLED=true AWS_CSM_PORT=31000 AWS_CSM_HOST=127.0.0.1 <my cli command>

I get no output from iamlive, I'm trying to figure out what I might be doing wrong?

Hello! Thank you for iamlive!

I ran an aws sts get-caller-identity command with temporary assume-role credentials form an IAM role. iamlive generated the following policy, which is invalid. I don't think any permissions are needed for this particular call. Should iamlive just not generate a policy when Action is null?

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": null,
            "Resource": "*"
        }
    ]
}

Hey @iann0036 , I've tried to create the AWS VPC Module with Terraform, using iamlive in Proxy Mode.

Issue

iamlive did not track the required permissions for creating an AWS VPC with terraform

Details

terraform apply
# request proxied through iamlive

The IAM policy that was generated for my dummy-user by iamlive:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "sts:GetCallerIdentity",
                "ec2:DescribeAccountAttributes",
                "ec2:CreateVpc"
            ],
            "Resource": "*"
        }
    ]
}

I updated the dummy-user's IAM policy with the above generated IAM policy. And I still got the following error

terraform apply
...
# Error: Error creating VPC: UnauthorizedOperation: You are not authorized to perform this operation. Encoded authorization failure message: ENCODED_MESSAGE

I decoded the ENCODED_MESSAGE by following this tutorial by AWS

aws sts decode-authorization-message --encoded-message "$ENCODED_MESSAGE" | jq -c '.DecodedMessage | fromjson | .context.action'

# Output:
# "ec2:CreateTags"

This makes sense, dummy-user is not allowed to ec2:CreateTags, but why didn't iamlive track this permission?

So now I'm thinking, does iamlive track encoded messages and tries to decode them?

P.S- I also tried aws s3 cp myfile s3://mybucket/myfile and the s3:PutObject wasn't tracked by iamlive, as if it isn't even proxied via iamlive, an IAM Policy wasn't generated. When I tried to copy the file from the bucket to my machine with aws s3 cp s3://mybucket/myfile ./myfile , I saw that iamlive was able to generate an IAM Policy. Not sure if it helps, but it might be related.

I'm running iamlive --set-init --profile test --mode proxy in one terminal window. I have AWS_CA_BUNDLE, HTTP_PROXY and HTTPS_PROXY set as per the documentation.
When I issue aws --profile test cloudfront list-distributions --query "..." --output text in another terminal, I see the output from iamlive, however when I run aws --profile test cloudfront create-invalidation --distribution-id <myID> --paths "/*" I get nothing from iamlive.
Tried to restart iamlive just before issuing create-invalidation command, but it didn't help.

Hello,

It would be great to be able to do brew install iamlive. Once this reaches 1.0.0 or when you have time, would you mind updating the distribution mechanism to brew for Mac binaries?

Ref: https://medium.com/@ben.lafferty/deploying-go-cli-applications-316e9cca16a4

Hi,

Everything works well in csm mode, but the resources are not detailed.
So I'm trying to use the proxy mode. AWS CLI is working fine. Terraform is working mostly fine except with some modules.

Shell 1)

iamlive -set-ini -mode proxy

Shell 2)

export HTTP_PROXY=http://127.0.0.1:10080
export HTTPS_PROXY=http://127.0.0.1:10080
export AWS_CA_BUNDLE=~/.iamlive/ca.pem
terraform init
terraform apply

terraform init fails on "Initializing provider plugins...":

│ Error: Failed to query available provider packages
│ 
│ Could not retrieve the list of available versions for provider hashicorp/http: could not connect to registry.terraform.io: Failed to request discovery document: Get "https://registry.terraform.io/.well-known/terraform.json": x509: certificate signed by unknown authority

And terraform apply fails on downloading https://www.gstatic.com/ipranges/cloud.json:

│ Error: Error making request: Get "https://www.gstatic.com/ipranges/cloud.json": x509: certificate signed by unknown authority

Using Terraform it appears that cognito idp actions are not being tracked. Other services created/updated/deleted with the terraform are fine but nothing for cognito-idp. Also tracks nothing via the AWS CLI.

Have tried the latest docker container and the latest brew package and neither log anything for IDP.

For example, if I:

iamlive --set-ini --mode proxy --profile riversafe --output-file policy.json --sort-alphabetical --bind-addr 127.0.0.1:10080 --ca-bundle ~/.iamlive/ca.pem --ca-key ~/.iamlive/ca.key

and then:

aws cognito-idp list-user-pools --profile riversafe --max-results=20

the iamlive terminal session just shows:

{
    "Version": "2012-10-17",
    "Statement": []
}

Other services I'm capturing (appsync, dynamodb, s3, lambda, cloudfront) all work just fine.

(python310) ➜  ~ docker images | grep iamlive
unfor19/iamlive-docker                                                                    latest               9a5d1c84f391   2 weeks ago     71.1MB
(python310) ➜  ~ brew info iamlive
==> iann0036/iamlive/iamlive: stable 0.50.0
Generate an IAM policy from AWS calls using client-side monitoring (CSM) or embedded proxy.
https://github.com/iann0036/iamlive
/usr/local/Cellar/iamlive/0.50.0 (3 files, 28.7MB) *
  Built from source on 2023-03-31 at 17:00:21
From: https://github.com/iann0036/homebrew-iamlive/blob/HEAD/iamlive.rb
License: MIT
(python310) ➜  ~ terraform --version
Terraform v1.4.2
on darwin_amd64

Your version of Terraform is out of date! The latest version
is 1.4.4. You can update by downloading from https://www.terraform.io/downloads.html
(python310) ➜  ~ aws --version
aws-cli/1.27.103 Python/3.10.10 Darwin/21.6.0 botocore/1.29.103
(python310) ➜  ~

this would be useful when writing new policies from existing automations.

Would you be interested in statically compiling the release binaries? No worries if not, just close this issue off.

In case it helps other Nix users passing by: patching the ELF will suffice until Go 1.16 RCs hit NIxpkgs.

; patchelf \                              
      --set-interpreter "$(cat $NIX_CC/nix-support/dynamic-linker)" iamlive

I havne't yet figured out what's different about CloudWatch Logs, but the permissions are coming out as
"cloudwatch logs:DeleteLogGroup"
"cloudwatch logs:ListTagsLogGroup",

I have noticed that some permissions are not captured in the policydocument.

An example is that my terraform creates a kms key

iamlive is then only capturing the

"kms:CreateKey"

but not "kms:CreateGrant"

This goes for more actions that should have been captured in the policy.

E.g. when creating an eks cluster

    "eks:TagResource",
    "iam:TagOpenIDConnectProvider",
	"ec2:RunInstances",
    "acm:AddTagsToCertificate",
    "acm:DeleteCertificate",
    "acm:DescribeCertificate",
    "acm:GetCertificate",
    "acm:ListTagsForCertificate",

And a few more which I forgot about.

Hiya Ian,

Truly awesome work on the tool in general and proxy mode specifically. I noticed a couple of issues, shown in the screenshot below.

The first is that the region appears to be determined incorrectly in some cases, e.g. s3.us-east-1. The second is that in dualstack mode, the determination of the service definition fails and therefore no parameters get extracted.

Hey, I just started using this is in my personal projects to help me manage a minimal Terraform permission set for AWS. Thanks a lot for making this!

I'm working with iamlive in proxy mode issued the following command

iamlive --profile iam_AdministratorAccess --mode proxy

then I'm trying to run boto3 scripts heres a snippet:

import boto3
from botocore.config import Config

aws_config=Config(proxies={'https': 'https://localhost:10080'})
s3 = boto3.client('s3', config=aws_config)
print(s3.list_objects(Bucket='files-exported-here'))

I receive an error:

botocore.exceptions.SSLError: SSL validation failed [SSL: WRONG_VERSION_NUMBER] wrong version number

My question is should I try and recreate the cert bundle to be used with boto3?
-- the profile does contain ca_bundle = ~/.iamlive/ca.pem

Also proxy mode will work for general awscli commands. Not sure what needs to be added to a python script.

Main goal is to get the resources enumerated when running python commands.

There is an --account-id command-line argument for passing in the AWS account ID in proxy mode. Given that the access key ID is available in the request HTTP headers and the account ID can be reverse engineered in most cases, maybe we should reverse-engineer it as a last-resort if unspecified by the user?

When running homebrew the following error is reported:

Warning: Calling bottle :unneeded is deprecated! There is no replacement.
Please report this issue to the iann0036/iamlive tap (not Homebrew/brew or Homebrew/core):
/usr/local/Homebrew/Library/Taps/iann0036/homebrew-iamlive/iamlive.rb:9

This flags every time I use homebrew - I'm running MacOS 11.5 (Big Sur).