0

我想使用 aws SSM 通过假设具有以下策略定义的 IAM 角色 (iam_ssm_role) 对 ec2 实例 (i-0691847a77) 执行 ssm:DescribeInstanceInformation。

两个 IAM 角色都在同一个 aws 帐户上,并且 iam_base_role arn 已添加为 iam_ssm_role 中的可信策略。

     {
        "Sid": "VisualEditor1",
        "Effect": "Allow",
        "Action": [
            "ssm:*",
            "ec2:DescribeImages",
            "cloudwatch:PutMetricData",
            "ec2:DescribeInstances",
            "lambda:InvokeFunction",
            "ec2:DescribeTags",
            "ec2:DescribeVpcs",
            "cloudwatch:GetMetricStatistics",
            "ec2:DescribeSubnets",
            "ec2:DescribeKeyPairs",
            "cloudwatch:ListMetrics",
            "ec2:DescribeSecurityGroups"
        ],
        "Resource": "*"
    }

我在具有 IAM 角色 (iam_base_role) 的 ec2 实例上运行以下代码

import boto3
from boto3.session import Session


def assume_role(arn, session_name):
    client = boto3.client('sts')
    response = client.assume_role(RoleArn=arn, RoleSessionName=session_name)
    session = Session(aws_access_key_id=response['Credentials']['AccessKeyId'],
                  aws_secret_access_key=response['Credentials']['SecretAccessKey'],
                  aws_session_token=response['Credentials']['SessionToken'])
    client = session.client('sts')
    account_id = client.get_caller_identity()["Account"]
    print(response['AssumedRoleUser']['AssumedRoleId'])
assume_role('arn:aws:iam::000001:role/iam_ssm_role', 'ssm_session')


client = boto3.client('ssm', region_name = 'us-east-1')
ssm_response = client.describe_instance_information(
    InstanceInformationFilterList=[
        {
            'key': 'InstanceIds',
            'valueSet': [
                'i-0f0099877fgg'
            ]
        }
    ]
)

print(ssm_response)

我收到拒绝访问错误,假定的角色显示为“iam_ssm_role”,但看起来 SSM 正在使用 iam_base_role 而不是 iam_ssm_role

AROAV6BDS6PTVQBU:iam_ssm_role

botocore.exceptions.ClientError: An error occurred (AccessDeniedException) when calling the DescribeInstanceInformation operation: User: arn:aws:sts::000001:assumed-role/iam_base_role/i-0691847a77 is not authorized to perform: ssm:DescribeInstanceInformation on resource: arn:aws:ssm:us-east-1:000001:*
4

1 回答 1

2

好的,我发现我之前的代码存在问题,我没有在 boto3.client SSM 部分使用假定的 iam 角色凭据。

我现在可以成功运行代码,我现在正在使用下面的代码。

import boto3

boto_sts=boto3.client('sts')
stsresponse = boto_sts.assume_role(
    RoleArn="arn:aws:iam::000001:role/iam_ssm_role",
    RoleSessionName='newsession'
)

newsession_id = stsresponse["Credentials"]["AccessKeyId"]
newsession_key = stsresponse["Credentials"]["SecretAccessKey"]
newsession_token = stsresponse["Credentials"]["SessionToken"]


client = boto3.client('ssm', 
                      region_name = 'us-east-1',
                      aws_access_key_id=newsession_id,
                      aws_secret_access_key=newsession_key,
                      aws_session_token=newsession_token)

ssm_response = client.describe_instance_information(
    InstanceInformationFilterList=[
        {
            'key': 'InstanceIds',
            'valueSet': [
                'i-0f0099877fgg'
            ]
        }
    ]
)

print(ssm_response)
于 2019-09-20T04:19:17.437 回答