AWS_SESSION_TOKEN ignored

[iamjpotts]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

TruffleHog Version

Docker image trufflesecurity/trufflehog:3.29.0

Trace Output

2023-03-10T18:35:20Z    info-2  trufflehog      trufflehog 3.29.0
2023-03-10T18:35:20Z    info-2  trufflehog      engine started  {"workers": 16}
2023-03-10T18:35:20Z    info-2  trufflehog      loaded decoders {"count": 2}
2023-03-10T18:35:20Z    info-2  trufflehog      loaded detectors        {"total": 728, "verification_enabled": 728, "verification_disabled": 0}
🐷🔑🐷  TruffleHog. Unearth your secrets. 🐷🔑🐷

2023-03-10T18:35:20Z    info-0  trufflehog      Scanning bucket {"source_type": "SOURCE_TYPE_S3", "source_name": "s3", "bucket": "xxx"}
2023-03-10T18:35:21Z    error   trufflehog      could not list objects in s3 bucket     {"source_type": "SOURCE_TYPE_S3", "source_name": "s3", "bucket": "xxx", "error": "InvalidAccessKeyId: The AWS Access Key Id you provided does not exist in our records.\n\tstatus code: 403, request id: xxx, host id: xxx"}
2023-03-10T18:35:21Z    info-0  trufflehog      Scanning bucket {"source_type": "SOURCE_TYPE_S3", "source_name": "s3", "bucket": "xxx"}
2023-03-10T18:35:21Z    error   trufflehog      could not list objects in s3 bucket     {"source_type": "SOURCE_TYPE_S3", "source_name": "s3", "bucket": "xxx", "error": "InvalidAccessKeyId: The AWS Access Key Id you provided does not exist in our records.\n\tstatus code: 403, request id: xxx, host id: xxx/xxx="}
2023-03-10T18:35:22Z    info-2  trufflehog      finished scanning       {"chunks": 0, "bytes": 0}

Expected Behavior

Truffle Hog can be run using temporary credentials defined by an AWS access key id + secret key + session token.

Actual Behavior

Failure to authenticate with AWS before scanning a bucket:

The AWS Access Key Id you provided does not exist in our records.

Steps to Reproduce

1. Run aws sts get-session-token to output a json object with the three required environment variable values
2. Save the below script
3. Modify the script to use the values from aws sts-get-session-token
4. Run the script. Observe that the aws s3 ls command succeeds, but the truffle hog command fails with The AWS Access Key Id you provided does not exist in our records.

#!/bin/bash

set -e

aws_access_key_id=foo
aws_secret_access_key=bar
aws_session_token=qux

echo $aws_access_key_id

docker run \
    --rm \
    -e AWS_ACCESS_KEY_ID=$aws_access_key_id \
    -e AWS_SECRET_ACCESS_KEY=$aws_secret_access_key \
    -e AWS_SESSION_TOKEN=$aws_session_token \
    -u 10000:10000 \
    amazon/aws-cli \
    s3 ls

docker run \
    --rm \
    -e AWS_ACCESS_KEY_ID=$aws_access_key_id \
    -e AWS_SECRET_ACCESS_KEY=$aws_secret_access_key \
    -e AWS_SESSION_TOKEN=$aws_session_token \
    -u 10000:10000 \
    ghcr.io/trufflesecurity/trufflehog:3.29.0 \
    s3 --bucket=some-non-public-bucket --no-update

Environment

• OS: Docker host is Ubuntu 22.04 LTS
• Docker version 20.10.12, build 20.10.12-0ubuntu4

Additional Context

None

References

None