Fix bug in IAM role policy sync caused by AWSRole nodes created witho…

…ut name attributes. (#62) * Fix bug in IAM role policy sync. * Fix schema doc bug * exists
cartography-cncf · May 1, 2019 · faf0038 · faf0038
1 parent e7f7fce
commit faf0038
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 2 deletions.
diff --git a/cartography/intel/aws/iam.py b/cartography/intel/aws/iam.py
@@ -440,7 +440,11 @@ def sync_group_policies(neo4j_session, boto3_session, current_aws_account_id, aw
 
 def sync_role_policies(neo4j_session, boto3_session, current_aws_account_id, aws_update_tag, common_job_parameters):
     logger.debug("Syncing IAM role policies for account '%s'.", current_aws_account_id)
-    query = "MATCH (role:AWSRole)<-[:AWS_ROLE]-(AWSAccount{id: {AWS_ACCOUNT_ID}}) return role.name as name;"
+    query = """
+    MATCH (role:AWSRole)<-[:AWS_ROLE]-(AWSAccount{id: {AWS_ACCOUNT_ID}})
+    WHERE exists(role.name)
+    RETURN role.name AS name;
+    """
     result = neo4j_session.run(query, AWS_ACCOUNT_ID=current_aws_account_id)
     roles = [r['name'] for r in result]
     roles_policies = {}

diff --git a/docs/schema.md b/docs/schema.md
@@ -307,6 +307,12 @@ Representation of an AWS [IAM Role](https://docs.aws.amazon.com/IAM/latest/APIRe
     (AWSGroup, AWSUser, AWSPrincipal)-[STS_ASSUMEROLE_ALLOW]->(AWSRole)
     ```
 
+- Some AWS Roles can assume other AWS Roles.
+
+    ```
+    (AWSRole)-[STS_ASSUMEROLE_ALLOW]->(AWSRole)
+    ```
+
 - AWS Roles are defined in AWS Accounts.
 
     ```
@@ -1082,4 +1088,4 @@ Representation of an AWS S3 [Bucket](https://docs.aws.amazon.com/AmazonS3/latest
 
 	```
 	(S3Acl)-[APPLIES_TO]->(S3Bucket)
-	```
+	```