Skip to content

Commit

Permalink
Merge pull request #52 from InbarRose/main
Browse files Browse the repository at this point in the history
add AWS_ACCESS_KEY_ID to env var checking
  • Loading branch information
adamjkeller authored Apr 7, 2022
2 parents 0d88ce2 + d279faf commit fc5fdde
Show file tree
Hide file tree
Showing 2 changed files with 14 additions and 7 deletions.
2 changes: 1 addition & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -126,7 +126,7 @@ The `check-ecs-exec.sh` found one or more VPC endpoints configured in the VPC fo
The `check-ecs-exec.sh` doesn't support checking this item for shared VPC subnets using [AWS Resouce Access Manager (AWS RAM)](https://aws.amazon.com/ram/). In short, this may not an issue to use ECS Exec if your ECS task VPC doesn't have any VPC endpoint and the task has proper outbound internet connectivity. Make sure to consult your administrator with the official ECS Exec documentation](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-exec.html#ecs-exec-considerations) to find if your VPC need to have an additional VPC endpoint.

19. **🟡 Environment Variables : defined**
SSM uses the AWS SDK which uses the [default chain](https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/credentials.html#credentials-default) when determining authentication. This means if AWS_ACCESS_KEY and AWS_SECRET_ACCESS_KEY are defined in the environment variables and the permissions there do not provide the required permissions for SSM to work, then the execute-command will fail. It is recomended not to define these environment variables.
SSM uses the AWS SDK which uses the [default chain](https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/credentials.html#credentials-default) when determining authentication. This means if AWS_ACCESS_KEY, AWS_ACCESS_KEY_ID, and AWS_SECRET_ACCESS_KEY are defined in the environment variables and the permissions there do not provide the required permissions for SSM to work, then the execute-command will fail. It is recomended not to define these environment variables.

## Security

Expand Down
19 changes: 13 additions & 6 deletions check-ecs-exec.sh
Original file line number Diff line number Diff line change
Expand Up @@ -674,8 +674,8 @@ else
fi
fi

# 11. Check task definition containers for environment variables AWS_ACCESS_KEY and AWS_SECRET_ACCESS_KEY
# if AWS_ACCESS_KEY and AWS_SECRET_ACCESS_KEY are defined in a container, they will be used by the SSM service
# 11. Check task definition containers for environment variables AWS_ACCESS_KEY, AWS_ACCESS_KEY_ID, and AWS_SECRET_ACCESS_KEY
# if AWS_ACCESS_KEY, AWS_ACCESS_KEY_ID, and AWS_SECRET_ACCESS_KEY are defined in a container, they will be used by the SSM service
# if the key defined does not have requirement permissions, the execute-command will not work.
containerNameList=$(echo "${taskDefJson}" | jq -r ".taskDefinition.containerDefinitions[].name")
idx=0
Expand All @@ -686,15 +686,22 @@ for containerName in $containerNameList; do
printf " ${COLOR_DEFAULT}- AWS_ACCESS_KEY"
AWS_ACCESS_KEY_FOUND=$(echo "${taskDefJson}" | jq -r ".taskDefinition.containerDefinitions[${idx}].environment[] | select(.name==\"AWS_ACCESS_KEY\") | .name")
case "${AWS_ACCESS_KEY_FOUND}" in
*AWS_ACCESS_KEY* ) printf ": ${COLOR_YELLOW}defined\n";;
* ) printf ": ${COLOR_GREEN}not defined\n";;
*AWS_ACCESS_KEY* ) printf ": ${COLOR_YELLOW}defined${COLOR_DEFAULT}\n";;
* ) printf ": ${COLOR_GREEN}not defined${COLOR_DEFAULT}\n";;
esac
# find AWS_ACCESS_KEY_ID
printf " ${COLOR_DEFAULT}- AWS_ACCESS_KEY_ID"
AWS_ACCESS_KEY_ID_FOUND=$(echo "${taskDefJson}" | jq -r ".taskDefinition.containerDefinitions[${idx}].environment[] | select(.name==\"AWS_ACCESS_KEY_ID\") | .name")
case "${AWS_ACCESS_KEY_ID_FOUND}" in
*AWS_ACCESS_KEY_ID* ) printf ": ${COLOR_YELLOW}defined${COLOR_DEFAULT}\n";;
* ) printf ": ${COLOR_GREEN}not defined${COLOR_DEFAULT}\n";;
esac
# find AWS_SECRET_ACCESS_KEY
printf " ${COLOR_DEFAULT}- AWS_SECRET_ACCESS_KEY"
AWS_SECRET_ACCESS_KEY_FOUND=$(echo "${taskDefJson}" | jq -r ".taskDefinition.containerDefinitions[${idx}].environment[] | select(.name==\"AWS_SECRET_ACCESS_KEY\") | .name")
case "${AWS_SECRET_ACCESS_KEY_FOUND}" in
*AWS_SECRET_ACCESS_KEY* ) printf ": ${COLOR_YELLOW}defined\n";;
* ) printf ": ${COLOR_GREEN}not defined\n";;
*AWS_SECRET_ACCESS_KEY* ) printf ": ${COLOR_YELLOW}defined${COLOR_DEFAULT}\n";;
* ) printf ": ${COLOR_GREEN}not defined${COLOR_DEFAULT}\n";;
esac
idx=$((idx+1))
done
Expand Down

0 comments on commit fc5fdde

Please sign in to comment.