Deploy Repokid from scratch and make sure instructions are clear

[mcpeak]

Repokid has been under heavy development the last several months and we should make sure the instructions are still clear. I'd like somebody unfamiliar with the project to run through the instructions in README.md to clear up any inconsistencies or enhance the documentation where appropriate.

[suprithcs]

I can take this @mcpeak. I'll send a pr by this weekend.

[mcpeak]

Awesome, thank you!

[arpansolanki]

Hello,
Instructions regarding creating role and instance profile are not clear. I am assigning role to ec2 instance and got the following error

(repokid) [root@ip- repokid]# repokid display_role_cache 123456
Loaded config from /home/ec2-user/repokid/config.json
INFO:botocore.vendored.requests.packages.urllib3.connectionpool:Starting new HTTP connection (1): 169.254.169.254
INFO:botocore.vendored.requests.packages.urllib3.connectionpool:Starting new HTTP connection (1): 169.254.169.254
INFO:botocore.vendored.requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): sts.amazonaws.com
Traceback (most recent call last):
File "/root/.virtualenvs/repokid/bin/repokid", line 11, in
load_entry_point('repokid', 'console_scripts', 'repokid')()
File "/home/ec2-user/repokid/repokid/cli/repokid_cli.py", line 950, in main
dynamo_table = dynamo_get_or_create_table(**config['dynamo_db'])
File "/home/ec2-user/repokid/repokid/utils/dynamo.py", line 64, in dynamo_get_or_create_table
region=dynamo_config['region'])
File "/root/.virtualenvs/repokid/local/lib/python2.7/site-packages/cloudaux-1.2.0-py2.7.egg/cloudaux/aws/decorators.py", line 40, in decorated_function
raise e
botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the AssumeRole operation: Not authorized to perform sts:AssumeRole

[mcpeak]

OK, let's first find out which of these you're missing:

1. Role for Repokid instance (RepokidInstanceProfile) including a policy that allows sts:AssumeRole to RepokidRole in the target account

2. RepokidRole in target account, with a trust policy that allows RepokidInstanceProfile to assume it

If you tell me which of these isn't set up right we can tighten up the documentation.

[arpansolanki]

Thank you that helped.
Also found this documentation if someone is looking for "similar" steps.
https://github.com/Netflix/security_monkey/blob/develop/docs/iam_aws.md

[adamdecaf]

#46 would probably be exposed/fixed as part of this.

How about a docker image?

[mcpeak]

@adamdecaf I'd love a docker image!

[gigstylez]

I managed to get "almost" everything configured. When I run some basic repo commands, repokid doesn't find any results.

$ repokid display_role 123456789012 RepoKidTest-Role

NFO:botocore.credentials:Credentials found in config file: ~/.aws/config
2019-05-09 00:09:51,850 WARNING: Could not find role with name RepoKidTest-Role [in /home/vagrant/repokid/repokid/repokid/cli/repokid_cli.py:535]
WARNING:repokid:Could not find role with name RepoKidTest-Role

$ repokid find_roles_with_permissions "iam:ListInstanceProfiles" --output=myroles.json

There's nothing in myroles.json

I think the problem is my "aardvark_api_location" parameter in config.json?