— aws, inspec, iam — 1 min read
I've used InSpec in the past, but it's been some time. I was recently again evaluating it for my current company when I ran into a situation.
I set up an IAM user with the necessary permissions in order to test out InSpec for a proof of concept and added the profile to my ~/.aws/credentials
. I knew the credentials were right because I could test what I wanted with the AWS CLI and get a successful response.
1$ aws iam list-mfa-devices --user-name test-user --profile inspec2{3 "MFADevices": [4 {5 "UserName": "test-user",6 "SerialNumber": "arn:aws:iam::12345:mfa/test-user",7 "EnableDate": "2020-01-02T18:41:22Z"8 }9 ]10}
So, why then, would InSpec tell me that it couldn't find my AWS credentials for the inspec
profile when running a simple control?
1title 'AWS IAM compliance'23control 'iam-1.0' do4 impact 1.05 title 'Check test-user user has MFA'6 desc 'The test-user user should have MFA enabled'7 describe aws_iam_user(user_name: 'test-user') do8 it { should have_mfa_enabled }9 end10end
AWS credentials are available InSpec!
1$ inspec exec aws -t aws://us-east-1/inspec2[2021-01-03T19:25:55-07:00] ERROR: It appears that you have not set your AWS credentials. See https://www.inspec.io/docs/reference/platforms for details.34Profile: AWS InSpec Profile (aws)5Version: 0.1.06Target: aws://us-east-178 × iam-1.0: Check test-user user has MFA9 × AWS IAM User10 No AWS credentials available111213Profile: Amazon Web Services Resource Pack (inspec-aws)14Version: 1.33.015Target: aws://us-east-11617 No tests executed.1819Profile Summary: 0 successful controls, 1 control failure, 0 controls skipped20Test Summary: 0 successful, 1 failure, 0 skipped
Was I running the correct command to execute my controls? Was I somehow passing my profile to InSpec incorrectly? What was going on?
After some time frustratingly testing numerous different theories, I had another closer look at my ~/.aws/credentials
and noticed that some of my profiles, including my inspec
profile, looked slightly different than others.
1[default]2aws_access_key_id = abcd12343aws_secret_access_key = abcd12344region = us-east-156[otherprofile]7aws_access_key_id = abcd12348aws_secret_access_key = abcd12349region = us-east-11011[inspec]12AWS_ACCESS_KEY_ID = abcd123413AWS_SECRET_ACCESS_KEY = abcd123414region = us-east-1
That can't be it, can it? Is it?
Well it turned out that it was. InSpec was not be able to read my inspec
profile credentials because AWS_ACCESS_KEY_ID
and AWS_SECRET_ACCESS_KEY
were capitalized in my credentials file, because this is how the Ruby AWS SDK works. I copied and pasted from another profile, which I don't recall why I made the keys capitalized, and InSpec couldn't handle it. After changing the keys to aws_access_key_id
and aws_secret_access_key
, InSpec found my credentials and I was able to run my controls.
So, if you're having trouble with InSpec telling you No AWS credentials available
or that It appears that you have not set your AWS credentials
, check your credentials file and make sure your capitalization is correct.