in internal/flavors/assetinventory/strategy_aws.go [43:89]
func (s *strategy) initAwsFetchers(ctx context.Context) ([]inventory.AssetFetcher, error) {
awsConfig, err := awslib.InitializeAWSConfig(s.cfg.CloudConfig.Aws.Cred)
if err != nil {
return nil, err
}
idProvider := awslib.IdentityProvider{Logger: s.logger}
awsIdentity, err := idProvider.GetIdentity(ctx, *awsConfig)
if err != nil {
return nil, err
}
// Early exit if we're scanning the entire account.
if s.cfg.CloudConfig.Aws.AccountType == config.SingleAccount {
return awsfetcher.New(ctx, s.logger, awsIdentity, *awsConfig), nil
}
// Assume audit roles per selected account and generate fetchers for them
rootRoleConfig := assumeRole(
sts.NewFromConfig(*awsConfig),
*awsConfig,
fmtIAMRole(awsIdentity.Account, rootRole),
)
accountProvider := &awslib.AccountProvider{}
accountIdentities, err := accountProvider.ListAccounts(ctx, s.logger, rootRoleConfig)
if err != nil {
return nil, err
}
var fetchers []inventory.AssetFetcher
stsClient := sts.NewFromConfig(rootRoleConfig)
for _, identity := range accountIdentities {
assumedRoleConfig := assumeRole(
stsClient,
rootRoleConfig,
fmtIAMRole(identity.Account, memberRole),
)
if ok := tryListingBuckets(ctx, s.logger, assumedRoleConfig); !ok {
// role does not exist, skip identity/account
s.logger.Infof("Skipping identity on purpose %+v", identity)
continue
}
accountFetchers := awsfetcher.New(ctx, s.logger, &identity, assumedRoleConfig)
fetchers = append(fetchers, accountFetchers...)
}
return fetchers, nil
}