From f762d37a4414807d8b1380cf06caf48b589fb839 Mon Sep 17 00:00:00 2001 From: Nathan C <1849077+thelateperseus@users.noreply.github.com> Date: Wed, 2 Mar 2022 12:33:10 +1100 Subject: [PATCH 1/2] Support cygwin on Windows When running `check-ecs-exec.sh` in cygwin on Windows, the REGION variable contains a trailing carriage return character. The script terminates with the error message "' doesn't match a supported format." Removing the trailing carriage return character character allows the rest of the script to complete normally. The displayed AWS CLI Version also has a trailing carriage return character, but this is only a cosmetic issue and doesn't affect the checks performed by the rest of the script. --- check-ecs-exec.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/check-ecs-exec.sh b/check-ecs-exec.sh index 08295cb..9fd1088 100755 --- a/check-ecs-exec.sh +++ b/check-ecs-exec.sh @@ -125,7 +125,7 @@ fi printf "${COLOR_DEFAULT} AWS CLI | ${COLOR_GREEN}OK ${COLOR_DEFAULT}($(which "${AWS_CLI_BIN}"))\n" # Find AWS region -REGION=$(${AWS_CLI_BIN} configure get region || echo "") +REGION=$(${AWS_CLI_BIN} configure get region | sed -e 's/\r//g' || echo "") export AWS_REGION=${AWS_REGION:-$REGION} # Check region configuration in "source_profile" if the user uses MFA configurations source_profile=$(${AWS_CLI_BIN} configure get source_profile || echo "") @@ -209,7 +209,7 @@ Please update the AWS CLI and try again?\n\ For v1: https://docs.aws.amazon.com/cli/latest/userguide/install-cliv1.html${COLOR_DEFAULT}\n" exit 1 fi -awsCliVersion=$(${AWS_CLI_BIN} --version 2>&1) +awsCliVersion=$(${AWS_CLI_BIN} --version 2>&1 | sed -e 's/\r//g') printf "${COLOR_DEFAULT} AWS CLI Version | ${COLOR_GREEN}OK ${COLOR_DEFAULT}(${awsCliVersion})\n" # Check whether the Session Manager plugin exists From 0dd4e802d8b7d1c071c22cee30a0f92fc567dc0a Mon Sep 17 00:00:00 2001 From: Inbar <5904674+InbarRose@users.noreply.github.com> Date: Thu, 31 Mar 2022 22:49:20 +0300 Subject: [PATCH 2/2] check environment variables that cause failure (#50) AWS_ACCESS_KEY and AWS_SECRET_ACCESS_KEY can override the AWS SDK see https://github.com/aws-containers/amazon-ecs-exec-checker/issues/49 --- README.md | 3 +++ check-ecs-exec.sh | 25 +++++++++++++++++++++++++ 2 files changed, 28 insertions(+) diff --git a/README.md b/README.md index ba43dae..f406b22 100644 --- a/README.md +++ b/README.md @@ -125,6 +125,9 @@ The `check-ecs-exec.sh` found one or more VPC endpoints configured in the VPC fo 18. **_🔴 VPC Endpoints | CHECK FAILED_** The `check-ecs-exec.sh` doesn't support checking this item for shared VPC subnets using [AWS Resouce Access Manager (AWS RAM)](https://aws.amazon.com/ram/). In short, this may not an issue to use ECS Exec if your ECS task VPC doesn't have any VPC endpoint and the task has proper outbound internet connectivity. Make sure to consult your administrator with the official ECS Exec documentation](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-exec.html#ecs-exec-considerations) to find if your VPC need to have an additional VPC endpoint. +19. **🟡 Environment Variables : defined** +SSM uses the AWS SDK which uses the [default chain](https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/credentials.html#credentials-default) when determining authentication. This means if AWS_ACCESS_KEY and AWS_SECRET_ACCESS_KEY are defined in the environment variables and the permissions there do not provide the required permissions for SSM to work, then the execute-command will fail. It is recomended not to define these environment variables. + ## Security See [CONTRIBUTING](CONTRIBUTING.md#security-issue-notifications) for more information. diff --git a/check-ecs-exec.sh b/check-ecs-exec.sh index 08295cb..652f63f 100755 --- a/check-ecs-exec.sh +++ b/check-ecs-exec.sh @@ -674,4 +674,29 @@ else fi fi +# 11. Check task definition containers for environment variables AWS_ACCESS_KEY and AWS_SECRET_ACCESS_KEY +# if AWS_ACCESS_KEY and AWS_SECRET_ACCESS_KEY are defined in a container, they will be used by the SSM service +# if the key defined does not have requirement permissions, the execute-command will not work. +containerNameList=$(echo "${taskDefJson}" | jq -r ".taskDefinition.containerDefinitions[].name") +idx=0 +printf "${COLOR_DEFAULT} Environment Variables | (${taskDefFamily}:${taskDefRevision})\n" +for containerName in $containerNameList; do + printf " ${COLOR_DEFAULT}$((idx+1)). container \"${containerName}\"\n" + # find AWS_ACCESS_KEY + printf " ${COLOR_DEFAULT}- AWS_ACCESS_KEY" + AWS_ACCESS_KEY_FOUND=$(echo "${taskDefJson}" | jq -r ".taskDefinition.containerDefinitions[${idx}].environment[] | select(.name==\"AWS_ACCESS_KEY\") | .name") + case "${AWS_ACCESS_KEY_FOUND}" in + *AWS_ACCESS_KEY* ) printf ": ${COLOR_YELLOW}defined\n";; + * ) printf ": ${COLOR_GREEN}not defined\n";; + esac + # find AWS_SECRET_ACCESS_KEY + printf " ${COLOR_DEFAULT}- AWS_SECRET_ACCESS_KEY" + AWS_SECRET_ACCESS_KEY_FOUND=$(echo "${taskDefJson}" | jq -r ".taskDefinition.containerDefinitions[${idx}].environment[] | select(.name==\"AWS_SECRET_ACCESS_KEY\") | .name") + case "${AWS_SECRET_ACCESS_KEY_FOUND}" in + *AWS_SECRET_ACCESS_KEY* ) printf ": ${COLOR_YELLOW}defined\n";; + * ) printf ": ${COLOR_GREEN}not defined\n";; + esac + idx=$((idx+1)) +done + printf "\n"