We use Docker containers for pop-up development environments (e.g., as opposed to a VM). Trying to run it inside a Docker container, but since I can't open a second tab in my terminal (since the container session is tied to the terminal session), I can't follow the README instructions.

I've tried running it in the background, however, I keep ending up with the basic Action: null policy after running Terraform to standup my infrastructure, then kill $PID.

1. Since Terraform calls out to the AWS APIs, I would think that this tool could read the same things going over the wire as the AWS CLI.

2. Is there something about Docker or Alpine Linux which would prevent it from working?

Hey @iann0036 , I've tried to create the AWS VPC Module with Terraform, using iamlive in Proxy Mode.

Issue

iamlive did not track the required permissions for creating an AWS VPC with terraform

Details

terraform apply
# request proxied through iamlive

The IAM policy that was generated for my dummy-user by iamlive:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "sts:GetCallerIdentity",
                "ec2:DescribeAccountAttributes",
                "ec2:CreateVpc"
            ],
            "Resource": "*"
        }
    ]
}

I updated the dummy-user's IAM policy with the above generated IAM policy. And I still got the following error

terraform apply
...
# Error: Error creating VPC: UnauthorizedOperation: You are not authorized to perform this operation. Encoded authorization failure message: ENCODED_MESSAGE

I decoded the ENCODED_MESSAGE by following this tutorial by AWS

aws sts decode-authorization-message --encoded-message "$ENCODED_MESSAGE" | jq -c '.DecodedMessage | fromjson | .context.action'

# Output:
# "ec2:CreateTags"

This makes sense, dummy-user is not allowed to ec2:CreateTags, but why didn't iamlive track this permission?

So now I'm thinking, does iamlive track encoded messages and tries to decode them?

P.S- I also tried aws s3 cp myfile s3://mybucket/myfile and the s3:PutObject wasn't tracked by iamlive, as if it isn't even proxied via iamlive, an IAM Policy wasn't generated. When I tried to copy the file from the bucket to my machine with aws s3 cp s3://mybucket/myfile ./myfile , I saw that iamlive was able to generate an IAM Policy. Not sure if it helps, but it might be related.

As the title says, we're getting this error when using iamlive, but only in proxy mode.

We're setting up AWS infrastructure via Terraform and the same code works just fine with iamlive in CSM mode.

I've noticed this error when working with DynamoDB resources, like tables. This simple configuration is enough to trigger it.

resource "aws_dynamodb_table" "dummy" {
  name = "dummy-iamlive-table"
  hash_key = "id"

  billing_mode = "PAY_PER_REQUEST"

  attribute {
    name = "id"
    type = "S"
  }
}

The complete error given by Terraform is:

Error: error creating DynamoDB Table: InvalidSignatureException: The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.

If it helps, we're running:

• go version go1.16.3 linux/amd64
• aws-cli/2.1.15 Python/3.7.3 Linux/5.11.11-200.fc33.x86_64 exe/x86_64.fedora.33 prompt/off
• Terraform v0.14.8 + provider registry.terraform.io/hashicorp/aws v3.39.0

I've used this tutorial as well, hoping to isolate iamlive from my local environment: https://dev.to/unfor19/determining-aws-iam-policies-according-to-terraform-and-aws-cli-27md

Could anyone point us in the right direction ? Is there something that I'm doing wrong ?

Hey, this utility looks like just the thing I want to narrow down permissions needed for CI users to have the ability to run CDK commands.

I'm giving the utility a go now and I'm wondering if I should be getting output or not?

I'm doing

iamalive --set-ini --profile <my-profile>

And

cdk diff

But getting no output at the moment

I am trying out a simple setup. I have downloaded the latest 0.45 version executable for Windows and running

iamlive --set-ini

In another terminal, I am running

aws s3api list-buckets

Aws returns a list of buckets that I have in the account, but nothing is outputted in iamlive terminal.

I have tried this out on both Windows 10 and 11 with personal and work accounts.

Hi,

I am trying to run iamlive as part of a GitHub Actions workflow. Everything is fine except one important detail, for some reason GitHub Actions does not seem to kill the iamlive process when I send kill -SIGHUP.

I also tried SIGTERM and SIGQUIT but to no avail.

The only thing that kills the process is SIGKILL but that means I do not get an output file produced.

This seems to be some odd behaviour with either the GitHub Actions (I am using a GitHub hosted ubuntu runner).

Would it be possible for iamlive to be updated so it can write to the file while it is running, so there is no need to killl the process before the file is available?

Thanks.

Error: Invalid formula: /home/username/.linuxbrew/Homebrew/Library/Taps/iann0036/homebrew-iamlive/iamlive.rb
formulae require at least a URL
Error: Cannot tap iann0036/iamlive: invalid syntax in tap!

Would you be interested in statically compiling the release binaries? No worries if not, just close this issue off.

In case it helps other Nix users passing by: patching the ELF will suffice until Go 1.16 RCs hit NIxpkgs.

; patchelf \                              
      --set-interpreter "$(cat $NIX_CC/nix-support/dynamic-linker)" iamlive

I'm running iamlive --set-init --profile test --mode proxy in one terminal window. I have AWS_CA_BUNDLE, HTTP_PROXY and HTTPS_PROXY set as per the documentation. When I issue aws --profile test cloudfront list-distributions --query "..." --output text in another terminal, I see the output from iamlive, however when I run aws --profile test cloudfront create-invalidation --distribution-id <myID> --paths "/*" I get nothing from iamlive. Tried to restart iamlive just before issuing create-invalidation command, but it didn't help.

In our org we use a proxy for all external requests. Other than AWS endpoints, there is no direct access to public internet. We have system wide proxies - and excludes for AWS stuff - configured, which looks like this:

HTTP_PROXY="http://example.com:8080"
HTTPS_PROXY="http://example.com:8080"
NO_PROXY="127.0.0.1,169.254.169.254,169.254.170.2,localhost,amazonaws.com,amazon.com"

Now we have a use case where we need to run calls to AWS and other domains from the same process. When we point the proxy to the iamlive proxy, other requests fail. So it's impossible to record the actions with iamlive.

I tried to set a proxy for iamlive itself but it looks like it is ignored.

HTTP_PROXY="http://example.com:8080" \
HTTPS_PROXY="http://example.com:8080" \
NO_PROXY="127.0.0.1,169.254.169.254,169.254.170.2,localhost,amazonaws.com,amazon.com" \
iamlive --mode proxy --bind-addr "0.0.0.0:10080"

When I run a process with proxy environment pointed to http://127.0.0.1:10080 it can only talk to AWS.

Is this a user error or currently not supported?

Hi,

Everything works well in csm mode, but the resources are not detailed. So I'm trying to use the proxy mode. AWS CLI is working fine. Terraform is working mostly fine except with some modules.

Shell 1)

iamlive -set-ini -mode proxy

Shell 2)

export HTTP_PROXY=http://127.0.0.1:10080
export HTTPS_PROXY=http://127.0.0.1:10080
export AWS_CA_BUNDLE=~/.iamlive/ca.pem
terraform init
terraform apply

terraform init fails on "Initializing provider plugins...":

│ Error: Failed to query available provider packages
│ 
│ Could not retrieve the list of available versions for provider hashicorp/http: could not connect to registry.terraform.io: Failed to request discovery document: Get "https://registry.terraform.io/.well-known/terraform.json": x509: certificate signed by unknown authority

And terraform apply fails on downloading https://www.gstatic.com/ipranges/cloud.json:

│ Error: Error making request: Get "https://www.gstatic.com/ipranges/cloud.json": x509: certificate signed by unknown authority

Thank you for creating this amazing project! My iamlive container, running v0.49.0, is now successfully proxying aws cli requests, as proven by its stdout captured in the following docker log entry, output in response to aws sts get-caller-identity --debug --profile <myprofile>:

my-iamlive-1  | {"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":["sts:GetCallerIdentity"],"Resource":"*"}]}

..but it is not dumping this text into its --output-file, neither at graceful exit nor on SIGHUP.

The iamlive container is based on this one, and executes iamlive in its entrypoint as:

    /app/iamlive \
        --output-file ${IAMLIVE_SHARED_PATH}/iamlive.log \
        --mode proxy \
        --bind-addr 0.0.0.0:10080 \
        --ca-bundle ${IAMLIVE_SHARED_PATH}/ca.pem \
        --ca-key ${IAMLIVE_SHARED_PATH}/ca.key \
        | jq -c .

The ${IAMLIVE_SHARED_PATH} folder (actually is /home/appuser/.iamlive) is the container mount point for a named docker volume that is shared with another "client container" that is being monitored for AWS api calls. Below is the relevant excerpt from the docker compose config that orchestrates these two containers.

services:
  main:
    environment:
      - IAMLIVE_SHARED_PATH=${IAMLIVE_SHARED_PATH}
    .
    .
    .
    build:
      args:
        - IAMLIVE_SHARED_PATH=${DEFAULT_CONTAINER_HOME}/${IAMLIVE_SHARED_FOLDER}
    .
    .
    .
    # Ensure iamlive container is run before main
    depends_on:
      - "iamlive"
    volumes:
      - "dot-iamlive:${DEFAULT_CONTAINER_HOME}/${IAMLIVE_SHARED_FOLDER}:rw"
  iamlive:
    environment:
      - IAMLIVE_SHARED_PATH=${IAMLIVE_SHARED_PATH}
    .
    .
    .
    build:
      args:
        - IAMLIVE_SHARED_PATH=${IAMLIVE_SHARED_PATH}
    .
    .
    .
    user: "${HOST_UID}:${HOST_GID}"
    expose:
       - "${IAMLIVE_LISTENER_HTTP_HTTPS_PORT}"
    volumes:
      - "dot-iamlive:${IAMLIVE_SHARED_PATH}:rw"
volumes:
  dot-iamlive:

(All I've removed from the above are many superfluous and noisy variable definitions.)

Mutual access to the shared volume has already been proven working correctly, since:

1. the IAMLIVE_SHARED_PATH mount point in the iamlive container is where iamlive dumps the required ca.pem and ca.key files and
2. the IAMLIVE_SHARED_PATH mount point in the main (client) container is where the client application instructs the AWS CLI to read the certificate bundle from, using:

export AWS_CA_BUNDLE=${IAMLIVE_SHARED_PATH}/ca.pem

As mentioned at the top, I've also proven that this scheme of two applications/containers is working in terms of networking and application configuration. The iamlive proxy is receiving the sts get-caller-identity request and dumping to stdout a policy document correctly containing a sts:GetCallerIdentity action.

The issue

I've yet to see a iamlive.log file get dumped.

Use case 1: iamlive exits

At first, I had the main container sleep several seconds after the successful aws sts get-caller-identity transaction, and then exit. Because main depends_on iamlive, main is stopped first, then iamlive. Here, I expected that the iamlive application would be sent and would catch SIGTERM, and then run this code to write (and flush??) GetPolicyDocument()'s return value to the outputFileFlag. Since the file path being written is in a mounted folder backed by docker volume on the host, if this file got written, I expected that to persist until the next container run. (There is nothing in this system that deletes files in that shared volume folder.)

Use case 2: SIGHUP

Next, I modified the project to enable the client application running in the main container to send UNIX process signals to other containers, specifically so that it could send SIGHUP to the iamlive container as a way to force it to dump the policy to disk before exiting. For the curious, this required:

1. sharing with main the path to the host's docker daemon socket via a host docker volume, and
2. ensuring the user in main has the correct permissions to access that socket, and
3. POSTing to this socket at the URL http://localhost/containers/<target_container_id>/kill?signal=SIGHUP

When testing this, however, everything worked just fine (the POST gets a 204 No Content response, which is the expected "successful" result for this api call), except that the iamlive.log file did not get dumped. I confirmed that the I was using the correct docker daemon api and that I was using the correct target_container_id by removing the ?signal=SIGHUP part of the URL which sends SIGKILL by default, and when running observing the iamlive container exiting immediately after the request POSTed from the client application running in the main container.

Summary

So, this feels like a bug, but I could also use some help in troubleshooting this from the iamlive side, so please send me any ideas you have on troubleshooting techniques for this app. I've not seen any debugging or verbose mode, nor have I looked at the source code much yet, but I am now stumped and receptive to any help. I realize that this usage mode is unusual -most people seem to be monitoring AWS cli activity from the host system instead of from another container - but this is why I explained myself so thoroughly. Still, let me know if you need any more info to help.

Thanks again for creating this amazing project!

It would be great if future releases would include at a minimum some checksums so I can compare the release against the checksum to verify I downloaded the binary I thought to be downloading.

Another step would be to also add signatures.

See https://github.com/philips-labs/slsa-provenance-action/releases for a project that applies these things on the released assets.

See the github actions workflow on how the checksums and signatures are added.

What is the issue?

When using iamlive with proxy mode, when trying to upload object to s3 bucket getting:

An error occurred (NotImplemented) when calling the PutObject operation: A header you provided implies functionality that is not implemented

Error code is 501 NotImplemented.

How to reproduce?

1. Normal proxy iamlive setup
2. run aws s3 cp command into a bucket with empty file

What have you tried to do?

I tried to compare the list of headers between the proxy outputs to the aws cli with --debug , overall the headers seems to be the same. Can confirm content-length exists, the only header that was in the proxy but not in the aws cli is Accept-Encoding but it seems to be coming from the goProxy, and I saw we're not deleting it.

I also tried to run other PUT method calls like create bucket with proxy, no issues there, just when trying to upload uploads into the bucket.

Note

When trying to upload a non-empty file with the same method above (aws cli), facing different issue where it can't connect to the proxy:

Failed to connect to proxy URL: "http://127.0.0.1:10080"

I have noticed that some permissions are not captured in the policydocument.

An example is that my terraform creates a kms key

iamlive is then only capturing the

"kms:CreateKey"

but not "kms:CreateGrant"

This goes for more actions that should have been captured in the policy.

E.g. when creating an eks cluster

    "eks:TagResource",
    "iam:TagOpenIDConnectProvider",
	"ec2:RunInstances",
    "acm:AddTagsToCertificate",
    "acm:DeleteCertificate",
    "acm:DescribeCertificate",
    "acm:GetCertificate",
    "acm:ListTagsForCertificate",

And a few more which I forgot about.

I am currently trying to get iamlive in proxy mode working with localstack, but I am having a problem. I think it has something to do with aws endpoint url and from what I can tell I can't figure out how to set that for iamlive to pickup.

I am just curious if anyone has gotten this working or is there a setting I am overlooked?

Hi,

I am trying to make a POC with iamlive, it seems that somehow iamlive proxy results in aws cli hanging on most of the operations.

I have set up env variables as per documentation; iamlive seems to correctly intercept calls: However, the terminal with aws command hangs without any output. So I have run it with debug mode. It seems to be requests stops at and retries:

2022-03-08 22:49:04,436 - MainThread - urllib3.connectionpool - DEBUG - Starting new HTTPS connection (3): s3.eu-central-1.amazonaws.com:443

Full logs below:

GET
/

host:s3.eu-central-1.amazonaws.com
x-amz-content-sha256:/hidden/
x-amz-date:20220308T204904Z

host;x-amz-content-sha256;x-amz-date
/hidden/
2022-03-08 22:49:04,434 - MainThread - botocore.auth - DEBUG - StringToSign:
AWS4-HMAC-SHA256
20220308T204904Z
20220308/eu-central-1/s3/aws4_request
/hidden/
2022-03-08 22:49:04,436 - MainThread - botocore.auth - DEBUG - Signature:
/hidden/
2022-03-08 22:49:04,436 - MainThread - botocore.endpoint - DEBUG - Sending http request: <AWSPreparedRequest stream_output=False, method=GET, url=https://s3.eu-central-1.amazonaws.com/, headers={'User-Agent': b'aws-cli/2.4.18 Python/3.8.8 Windows/10 exe/AMD64 prompt/off command/s3api.list-buckets', 'X-Amz-Date': b'20220308T204904Z', 'X-Amz-Content-SHA256': /hidden/', 'Authorization': b'AWS4-HMAC-SHA256 Credential=/hidden//20220308/eu-central-1/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=/hidden/'}>
2022-03-08 22:49:04,436 - MainThread - urllib3.connectionpool - DEBUG - Starting new HTTPS connection (3): s3.eu-central-1.amazonaws.com:443
2022-03-08 22:50:07,102 - MainThread - botocore.hooks - DEBUG - Event needs-retry.s3.ListBuckets: calling handler <bound method RetryHandler.needs_retry of <botocore.retries.standard.RetryHandler object at 0x0000028AD3E5FB50>>
2022-03-08 22:56:00,193 - MainThread - botocore.retries.standard - DEBUG - Max attempts of 3 reached.
2022-03-08 22:56:00,224 - MainThread - botocore.retries.standard - DEBUG - Not retrying request.
2022-03-08 22:56:00,225 - MainThread - botocore.hooks - DEBUG - Event needs-retry.s3.ListBuckets: calling handler <bound method S3RegionRedirector.redirect_from_error of <botocore.utils.S3RegionRedirector object at 0x0000028AD3E5FBB0>>
2022-03-08 22:56:00,225 - MainThread - awscli.clidriver - DEBUG - Exception caught in main()
Traceback (most recent call last):
  File "urllib3\connectionpool.py", line 449, in _make_request
  File "<string>", line 3, in raise_from
  File "urllib3\connectionpool.py", line 444, in _make_request
  File "http\client.py", line 1347, in getresponse
  File "http\client.py", line 307, in begin
  File "http\client.py", line 268, in _read_status
  File "socket.py", line 669, in readinto
  File "ssl.py", line 1241, in recv_into
  File "ssl.py", line 1099, in read
socket.timeout: The read operation timed out

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "awscli\botocore\httpsession.py", line 344, in send
  File "urllib3\connectionpool.py", line 785, in urlopen
  File "urllib3\util\retry.py", line 525, in increment
  File "urllib3\packages\six.py", line 770, in reraise
  File "urllib3\connectionpool.py", line 703, in urlopen
  File "urllib3\connectionpool.py", line 451, in _make_request
  File "urllib3\connectionpool.py", line 340, in _raise_timeout
urllib3.exceptions.ReadTimeoutError: AWSHTTPSConnectionPool(host='s3.eu-central-1.amazonaws.com', port=443): Read timed out. (read timeout=60)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "awscli\clidriver.py", line 459, in main
  File "awscli\clidriver.py", line 594, in __call__
  File "awscli\clidriver.py", line 770, in __call__
  File "awscli\clidriver.py", line 901, in invoke
  File "awscli\clidriver.py", line 913, in _make_client_call
  File "awscli\botocore\client.py", line 281, in _api_call
  File "awscli\botocore\client.py", line 595, in _make_api_call
  File "awscli\botocore\client.py", line 615, in _make_request
  File "awscli\botocore\endpoint.py", line 102, in make_request
  File "awscli\botocore\endpoint.py", line 156, in _send_request
  File "awscli\botocore\endpoint.py", line 200, in _do_get_response
  File "awscli\botocore\endpoint.py", line 269, in _send
  File "awscli\botocore\httpsession.py", line 379, in send
botocore.exceptions.ReadTimeoutError: Read timeout on endpoint URL: "https://s3.eu-central-1.amazonaws.com/"

Read timeout on endpoint URL: "https://s3.eu-central-1.amazonaws.com/"

Command: aws s3api list-buckets OS: Windows 11