我正在尝试使用账户 A 中的 Lambda 从账户 B 获取 EC2 实例。不确定我缺少什么。
账户 A:Lambda 代码正在运行。账户 B:EC2 实例正在运行。下面的 Assume Role 打印访问密钥和会话令牌 ID,但不返回任何结果。
账户 B 中的 IAM 角色附加了 AmazonEC2ReadOnlyAccess 策略,并且信任关系具有 arn:aws:iam::ACCOUNT_A:role/role-name_ACCOUNT_A
这是代码:
import json
import boto3
from collections import OrderedDict
from pprint import pprint
import time
from time import sleep
from datetime import date
import datetime
def lambda_handler(event, context):
# Assume Role To connect to other Account
sts_connection = boto3.client('sts')
acct_b = sts_connection.assume_role(
RoleArn="arn:aws:iam::ACCOUNT_B:role/role_name_account_B",
RoleSessionName="cross_acct_lambda"
)
ACCESS_KEY = acct_b['Credentials']['AccessKeyId']
SECRET_KEY = acct_b['Credentials']['SecretAccessKey']
SESSION_TOKEN = acct_b['Credentials']['SessionToken']
# create service client using the assumed role credentials, e.g. S3
ec2 = boto3.client(
"ec2",
aws_access_key_id=ACCESS_KEY,
aws_secret_access_key=SECRET_KEY,
aws_session_token=SESSION_TOKEN,
)
status = ec2.describe_instance_status()
pprint(status)
return {
'statusCode': 200,
'body': json.dumps('Hello from Lambda!')
}
结果:
Response:
{
"statusCode": 200,
"body": "\"Hello from Lambda!\""
}
结果:
Response:
{
"statusCode": 200,
"body": "\"Hello from Lambda!\""
}
Request ID:
"ZZZZZZZZZZZZZZZZZZZZ"
功能日志:
START RequestId: ZZZZZZZZZZZZZZZZZZ Version: $LATEST
{'InstanceStatuses': [],
谢谢。