PowerShell Assume Role Credentials Presists in subsequent execution

[swordfish291]

Hello Team,

I am having an issue. I have a lambda function that is assigned an execution role(LambdaExecutionRole) that assumes another role(DeleteSnapshotsRole) in another account using Use-STSRole cmdlet. I am able to execute the function the first time after modifying the code however when the function is executed the second time it returns the error DeleteSnapshotsRole is not authorized to assume DeleteSnapshotsRole. For some reason after the first execution the credentials presist in the function and second execution it uses the assumed role from the previous execution. Is there any configuration we need to set in the function or layer to flush the environment variables after each execution? I have tried to set the AWS credentials to null after the function is executed but these null values are getting picked up in subsequent executions.

Here is the code:

function delete-ebs-snapshots {
    Import-Module AWS.Tools.SecurityToken
    Import-Module AWS.Tools.Common
    Import-Module AWS.Tools.S3
    Import-Module AWS.Tools.Organizations
    $creds = Use-STSRole -RoleArn "arn:aws:iam::xxxxxxxx:role/DeleteSnapshotsRole" -RoleSessionName "delete-ebs-lambda" -Region us-west-2
    $env:AWS_ACCESS_KEY_ID = $creds.Credentials.AccessKeyId
    $env:AWS_SECRET_ACCESS_KEY = $creds.Credentials.SecretAccessKey
    $env:AWS_SESSION_TOKEN = $creds.Credentials.SessionToken
    # Get the account listing
    $accounts = Get-ORGAccountList
    $accounts
    $env:AWS_ACCESS_KEY_ID = $null
    $env:AWS_SECRET_ACCESS_KEY = $null
    $env:AWS_SESSION_TOKEN = $null
}

Thanks
Abdul

[99RareCandiez]

Away from my PC, but is it possible it's an issue with the Role Session Name ? try changing the role session name to have a variable as the last character so each creation of role session is unique. You could store value in file in attached storage that's not temp, or could create a parameter and just put numeric value 1 in it. read it with lambda function then add it to end of role session name, then write it back to the parameter as $i + 1 (ie 2 2nd time) ,

[ashishdhingra]

@swordfish291 Good morning. Instead of using credentials environment variables to use the temporary credentials to invoke Get-ORGAccountList, have you tried using -Credentials parameter as documented in Get-ORGAccountList?It is quite possible before the 1st call completes, lambda is invoked again by some event which uses the same instance and currently set credentials in environment variables.

[swordfish291]

@ashishdhingra Good morning,

I was able to get around the problem by setting the $env:AWS_ACCESS_KEY_ID, $env:AWS_SECRET_ACCESS_KEY and $env:AWS_SESSION_TOKEN to temporary variable before running STSAssume. At the end I reassigned the credentials from the variables and subsequent runs were successful.

function delete-ebs-snapshots {
    Import-Module AWS.Tools.SecurityToken
    Import-Module AWS.Tools.Common
    Import-Module AWS.Tools.S3
    Import-Module AWS.Tools.Organizations
    $accessKeyId = $env:AWS_ACCESS_KEY_ID
    $secretAccessKey = $env:AWS_SECRET_ACCESS_KEY
    $sessionToken = $env:AWS_SESSION_TOKEN
    $creds = Use-STSRole -RoleArn "arn:aws:iam::xxxxxxxx:role/DeleteSnapshotsRole" -RoleSessionName "delete-ebs-lambda" -Region us-west-2
    $env:AWS_ACCESS_KEY_ID = $creds.Credentials.AccessKeyId
    $env:AWS_SECRET_ACCESS_KEY = $creds.Credentials.SecretAccessKey
    $env:AWS_SESSION_TOKEN = $creds.Credentials.SessionToken
    # Get the account listing
    $accounts = Get-ORGAccountList
    $accounts
    $env:AWS_ACCESS_KEY_ID = $accessKeyId
    $env:AWS_SECRET_ACCESS_KEY =  $secretAccessKey
    $env:AWS_SESSION_TOKEN = $sessionToken
}

[ashishdhingra]

@swordfish291 Thanks for the confirmation. I would still advise to try using -Credentials parameter as documented in Get-ORGAccountList and see if it works.

[swordfish291]

@ashishdhingra you were right. All cmdlets have the -Credentials parameter that can be used to pass the temporary credentials. Its working and there is no need to modify the environment variables.

Thank you

[github-actions[bot]]

Hello! Reopening this discussion to make it searchable.