我有一个程序会处理许多帐户并进行盘点。现在它正在使用 boto3 和 AWS 密钥。
我想摆脱 aws 键,而是将角色分配给实例并使用该角色切换帐户。
我知道如何为用户分配外部角色,但我不知道如何使用实例角色来执行此操作。
这里的想法是做这样的事情:
任何想法如何做到这一点?
【问题讨论】:
标签: amazon-web-services boto3 amazon-iam
你的方法是正确的。你可以这样做:
Describe* 调用)然后,您的应用程序可以使用 Main Role(分配给 EC2 实例)在子账户中的每个 Target Roles 上调用 AssumeRole()(根据你的第 2 步)。
因此,您的流程实际上是:
【讨论】:
您可以先调用 org API 来列出帐户,这与您可以为具有跨帐户角色的每个帐户调用相同的方式 确保您的 Ec2 角色具有足够的权限来担任子帐户的角色
def get_accounts():
sts_role = 'arn:aws:iam::XXX:role/AWSAudit_CrossOrgAccess' # Org Billing API
assumedRoleObject = sts.assume_role(RoleArn=str(sts_role), RoleSessionName="accounts_watcher_lambda" )
credentials = assumedRoleObject['Credentials']
conn = boto3.client( 'organizations', aws_access_key_id=credentials['AccessKeyId'], aws_secret_access_key=credentials['SecretAccessKey'], aws_session_token=credentials['SessionToken'],)
list_of_accounts = conn.list_accounts()
return list_of_accounts```
## Your Ec2 role looks like
`
YourServerEc2Profile:
Type: AWS::IAM::InstanceProfile
Properties:
Path: '/'
Roles:
- Ref: YourServerEc2Role
YourServerEc2Role:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- ec2.amazonaws.com
Action:
- sts:AssumeRole
Path: "/"
Policies:
-
PolicyName: AuditInstall
PolicyDocument:
Version: "2012-10-17"
Statement:
-
Action:
- "ssm:*",
- "ec2:DescribeImages",
- "cloudwatch:PutMetricData",
- "ec2:DescribeInstances",
- "lambda:InvokeFunction",
- "ec2:DescribeTags",
- "ec2:DescribeVpcs",
- "cloudwatch:GetMetricStatistics",
- "ec2:DescribeSubnets",
- "ec2:DescribeKeyPairs",
- "cloudwatch:ListMetrics",
- "ec2:DescribeSecurityGroups"
Resource: "*"
Effect: "Allow"
ManagedPolicyArns:
- !Ref YourServerCrossAccount
- arn:aws:iam::aws:policy/ReadOnlyAccess
YourServerCrossAccount:
Type: AWS::IAM::ManagedPolicy
Properties:
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- sts:AssumeRole
Resource:
- arn:aws:iam::XXX:role/AWS_CrossAccount
`
【讨论】: