Deploy Repokid from scratch and make sure instructions are clear about repokid HOT 8 OPEN

I can take this @mcpeak. I'll send a pr by this weekend.

from repokid.

Awesome, thank you!

from repokid.

Hello,
Instructions regarding creating role and instance profile are not clear. I am assigning role to ec2 instance and got the following error

(repokid) [root@ip- repokid]# repokid display_role_cache 123456
Loaded config from /home/ec2-user/repokid/config.json
INFO:botocore.vendored.requests.packages.urllib3.connectionpool:Starting new HTTP connection (1): 169.254.169.254
INFO:botocore.vendored.requests.packages.urllib3.connectionpool:Starting new HTTP connection (1): 169.254.169.254
INFO:botocore.vendored.requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): sts.amazonaws.com
Traceback (most recent call last):
File "/root/.virtualenvs/repokid/bin/repokid", line 11, in
load_entry_point('repokid', 'console_scripts', 'repokid')()
File "/home/ec2-user/repokid/repokid/cli/repokid_cli.py", line 950, in main
dynamo_table = dynamo_get_or_create_table(**config['dynamo_db'])
File "/home/ec2-user/repokid/repokid/utils/dynamo.py", line 64, in dynamo_get_or_create_table
region=dynamo_config['region'])
File "/root/.virtualenvs/repokid/local/lib/python2.7/site-packages/cloudaux-1.2.0-py2.7.egg/cloudaux/aws/decorators.py", line 40, in decorated_function
raise e
botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the AssumeRole operation: Not authorized to perform sts:AssumeRole

from repokid.

OK, let's first find out which of these you're missing:

1. Role for Repokid instance (RepokidInstanceProfile) including a policy that allows sts:AssumeRole to RepokidRole in the target account

2. RepokidRole in target account, with a trust policy that allows RepokidInstanceProfile to assume it

If you tell me which of these isn't set up right we can tighten up the documentation.

from repokid.

Thank you that helped.
Also found this documentation if someone is looking for "similar" steps.
https://github.com/Netflix/security_monkey/blob/develop/docs/iam_aws.md

from repokid.

#46 would probably be exposed/fixed as part of this.

How about a docker image?

from repokid.

@adamdecaf I'd love a docker image!

from repokid.

I managed to get "almost" everything configured. When I run some basic repo commands, repokid doesn't find any results.

$ repokid display_role 123456789012 RepoKidTest-Role

NFO:botocore.credentials:Credentials found in config file: ~/.aws/config
2019-05-09 00:09:51,850 WARNING: Could not find role with name RepoKidTest-Role [in /home/vagrant/repokid/repokid/repokid/cli/repokid_cli.py:535]
WARNING:repokid:Could not find role with name RepoKidTest-Role

$ repokid find_roles_with_permissions "iam:ListInstanceProfiles" --output=myroles.json

There's nothing in myroles.json

I think the problem is my "aardvark_api_location" parameter in config.json?

from repokid.