Detect account ID automatically via access key

Author: iann0036

README.md

@@ -64,7 +64,7 @@ You can optionally also include the following arguments to the `iamlive` command
 
 **--ca-key:** _[experimental]_ the CA certificate key to use for proxy mode (_default: ~/.iamlive/ca.key_)
 
-**--account-id:** _[experimental]_ the AWS account ID to use in policy outputs within proxy mode (_default: 123456789012_)
+**--account-id:** _[experimental]_ the AWS account ID to use in policy outputs within proxy mode (_default: 123456789012 unless detected_)
 
 _Basic Example (CSM Mode)_
 

go.mod

@@ -6,6 +6,7 @@ require (
 	github.com/buger/goterm v0.0.0-20200322175922-2f3e71b85129
 	github.com/clbanning/mxj/v2 v2.3.2
 	github.com/iann0036/goproxy v0.0.0-20210327130343-c3ec674b9022
+	github.com/kenshaw/baseconv v0.1.0
 	github.com/mitchellh/go-homedir v1.1.0
 	github.com/smartystreets/goconvey v1.6.4 // indirect
 	golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c // indirect

go.sum

@@ -8,6 +8,8 @@ github.com/iann0036/goproxy v0.0.0-20210327130343-c3ec674b9022/go.mod h1:amSgpNk
 github.com/iann0036/goproxy/ext v0.0.0-20210327125723-db8542d80343 h1:oaTtJCbhCLSueJFpPwaxWZDKBBBkTv6+y5lprHPGFWs=
 github.com/iann0036/goproxy/ext v0.0.0-20210327125723-db8542d80343/go.mod h1:3SmG3m42N72tivanmYJdY5joEWn5/bEzgawDLBA7T6g=
 github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU=
+github.com/kenshaw/baseconv v0.1.0 h1:eZd+ZgNkU8jxjp/dTwAhPwI923cz1PE7ARRKUPXjZ5A=
+github.com/kenshaw/baseconv v0.1.0/go.mod h1:yy9zGmnnR6vgOxOQb702nVdAG30JhyYZpj/5/m0siRI=
 github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y=
 github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
 github.com/rogpeppe/go-charset v0.0.0-20180617210344-2471d30d28b4/go.mod h1:qgYeAmZ5ZIpBWTGllZSQnw97Dj+woV0toclVaRGI8pc=

logger.go

@@ -9,10 +9,12 @@ import (
 	"reflect"
 	"regexp"
 	"sort"
+	"strconv"
 	"strings"
 	"time"
 
 	"github.com/buger/goterm"
+	"github.com/kenshaw/baseconv"
 )
 
 //go:embed map.json
@@ -35,7 +37,8 @@ type Entry struct {
 	Method              string `json:"Api"`
 	Parameters          map[string][]string
 	URIParameters       map[string]string
-	FinalHTTPStatusCode int `json:"FinalHttpStatusCode"`
+	FinalHTTPStatusCode int    `json:"FinalHttpStatusCode"`
+	AccessKey           string `json:"AccessKey"`
 }
 
 // Statement is a single statement within an IAM policy
@@ -602,6 +605,41 @@ func getStatementsForProxyCall(call Entry) (statements []Statement) {
 	return statements
 }
 
+func getAccountFromAccessKey(accessKeyId string) (string, error) {
+	base10 := "0123456789"
+	base32AwsFlavour := "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567"
+
+	offsetStr, err := baseconv.Convert("QAAAAAAA", base32AwsFlavour, base10)
+	if err != nil {
+		return "", err
+	}
+	offset, err := strconv.Atoi(offsetStr)
+	if err != nil {
+		return "", err
+	}
+
+	offsetAccountIdStr, err := baseconv.Convert(accessKeyId[4:12], base32AwsFlavour, base10)
+	if err != nil {
+		return "", err
+	}
+	offsetAccountId, err := strconv.Atoi(offsetAccountIdStr)
+	if err != nil {
+		return "", err
+	}
+
+	accountId := 2 * (offsetAccountId - offset)
+
+	if strings.Index(base32AwsFlavour, accessKeyId[12:13]) >= strings.Index(base32AwsFlavour, "Q") {
+		accountId++
+	}
+
+	if accountId < 0 {
+		return "", fmt.Errorf("negative account ID")
+	}
+
+	return fmt.Sprintf("%012d", accountId), nil
+}
+
 func subARNParameters(arn string, call Entry, specialsOnly bool) (bool, []string) {
 	arns := []string{arn}
 
@@ -638,6 +676,15 @@ func subARNParameters(arn string, call Entry, specialsOnly bool) (bool, []string
 	}
 
 	account := *accountIDFlag
+	var err error
+
+	if account == "" && call.AccessKey != "" {
+		account, err = getAccountFromAccessKey(call.AccessKey)
+		if err != nil || account == "" {
+			account = "123456789012"
+		}
+	}
+
 	partition := "aws"
 	if call.Region[0:3] == "cn-" {
 		partition = "aws-cn"

main.go

@@ -42,7 +42,7 @@ func parseConfig() {
 	bindAddr := "127.0.0.1:10080"
 	caBundle := "~/.iamlive/ca.pem"
 	caKey := "~/.iamlive/ca.key"
-	accountID := "123456789012"
+	accountID := ""
 	background := false
 	forceWildcardResource := false
 

proxy.go

@@ -578,6 +578,17 @@ func handleAWSRequest(req *http.Request, body []byte, respCode int) {
 		}
 	}
 
+	// attempt to determine access key from auth header
+	accessKey := ""
+	authHeader := req.Header.Get("Authorization")
+	credOffset := strings.Index(authHeader, "Credential=")
+	if credOffset > 0 {
+		endOfKey := strings.Index(authHeader[credOffset:], "/")
+		if endOfKey > 0 {
+			accessKey = authHeader[credOffset+len("Credential=") : credOffset+endOfKey]
+		}
+	}
+
 	callLog = append(callLog, Entry{
 		Region:              region,
 		Type:                "ProxyCall",
@@ -586,6 +597,7 @@ func handleAWSRequest(req *http.Request, body []byte, respCode int) {
 		Parameters:          params,
 		URIParameters:       uriparams,
 		FinalHTTPStatusCode: respCode,
+		AccessKey:           accessKey,
 	})
 
 	handleLoggedCall()