check environment variables that cause failure (#50)

AWS_ACCESS_KEY and AWS_SECRET_ACCESS_KEY can override the AWS SDK see #49
aws-containers · Mar 31, 2022 · 0dd4e80 · 0dd4e80
1 parent 3c15654
commit 0dd4e80
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -125,6 +125,9 @@ The `check-ecs-exec.sh` found one or more VPC endpoints configured in the VPC fo
 18. **_🔴 VPC Endpoints | CHECK FAILED_**  
 The `check-ecs-exec.sh` doesn't support checking this item for shared VPC subnets using [AWS Resouce Access Manager (AWS RAM)](https://aws.amazon.com/ram/). In short, this may not an issue to use ECS Exec if your ECS task VPC doesn't have any VPC endpoint and the task has proper outbound internet connectivity. Make sure to consult your administrator with the official ECS Exec documentation](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-exec.html#ecs-exec-considerations) to find if your VPC need to have an additional VPC endpoint.
 
+19. **🟡 Environment Variables : defined**  
+SSM uses the AWS SDK which uses the [default chain](https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/credentials.html#credentials-default) when determining authentication. This means if AWS_ACCESS_KEY and AWS_SECRET_ACCESS_KEY are defined in the environment variables and the permissions there do not provide the required permissions for SSM to work, then the execute-command will fail. It is recomended not to define these environment variables. 
+
 ## Security
 
 See [CONTRIBUTING](CONTRIBUTING.md#security-issue-notifications) for more information.

diff --git a/check-ecs-exec.sh b/check-ecs-exec.sh
@@ -674,4 +674,29 @@ else
   fi
 fi
 
+# 11. Check task definition containers for environment variables AWS_ACCESS_KEY and AWS_SECRET_ACCESS_KEY
+# if AWS_ACCESS_KEY and AWS_SECRET_ACCESS_KEY are defined in a container, they will be used by the SSM service
+# if the key defined does not have requirement permissions, the execute-command will not work.
+containerNameList=$(echo "${taskDefJson}" | jq -r ".taskDefinition.containerDefinitions[].name")
+idx=0
+printf "${COLOR_DEFAULT}  Environment Variables  | (${taskDefFamily}:${taskDefRevision})\n"
+for containerName in $containerNameList; do
+  printf "       ${COLOR_DEFAULT}$((idx+1)). container \"${containerName}\"\n"
+  # find AWS_ACCESS_KEY
+  printf "       ${COLOR_DEFAULT}- AWS_ACCESS_KEY"
+  AWS_ACCESS_KEY_FOUND=$(echo "${taskDefJson}" | jq -r ".taskDefinition.containerDefinitions[${idx}].environment[] | select(.name==\"AWS_ACCESS_KEY\") | .name")
+  case "${AWS_ACCESS_KEY_FOUND}" in
+    *AWS_ACCESS_KEY* ) printf ": ${COLOR_YELLOW}defined\n";;
+    * ) printf ": ${COLOR_GREEN}not defined\n";;
+  esac
+  # find AWS_SECRET_ACCESS_KEY
+  printf "       ${COLOR_DEFAULT}- AWS_SECRET_ACCESS_KEY"
+  AWS_SECRET_ACCESS_KEY_FOUND=$(echo "${taskDefJson}" | jq -r ".taskDefinition.containerDefinitions[${idx}].environment[] | select(.name==\"AWS_SECRET_ACCESS_KEY\") | .name")
+  case "${AWS_SECRET_ACCESS_KEY_FOUND}" in
+    *AWS_SECRET_ACCESS_KEY* ) printf ": ${COLOR_YELLOW}defined\n";;
+    * ) printf ": ${COLOR_GREEN}not defined\n";;
+  esac
+  idx=$((idx+1))
+done
+
 printf "\n"