我有以下代碼,它允許我在 ~/.aws/config 中列出我所有帳戶中所有資源的資訊:
#!/bin/bash
#Output file
OUTFILE="out.txt"
###############################################################################################
#EXECUTION SECTION - Shouldn't have to change anything below this line.
###############################################################################################
rm -f $OUTFILE
for AWS_PROFILE in `grep '\[profile ' ~/.aws/config | awk {'print $2'} | sed 's/\]//g'`; do
echo "====================================================================" >> $OUTFILE
echo "!!==> $AWS_PROFILE " | tee -a $OUTFILE
echo "!!==> $AWS_PROFILE " | tee -a $OUTFILE
for region in `aws --profile $AWS_PROFILE ec2 describe-regions --all-regions --query 'Regions[].RegionName' --output text`
do
echo "region = ${region}" >> $OUTFILE
aws --profile $AWS_PROFILE resourcegroupstaggingapi get-resources --region ${region} --query 'ResourceTagMappingList[].ResourceARN' >> $OUTFILE
done
done
同樣,這行得通;它在查詢每個帳戶時提示我輸入 MFA 令牌,并且我至少有沒有錯誤的原始輸出。
為了可擴展性,我需要將它移植到 python,以符合我們代碼庫的其余部分。我從以下內容開始:
#!env python3.9
from pprint import pprint
import boto3
import boto, boto3
from boto.sts import STSConnection
from botocore.exceptions import ClientError
role_arn = 'arn:aws:iam::account-number-removed:role/role-name-here'
# Prompt for MFA time-based one-time password (TOTP)
mfa_TOTP = input("Enter the MFA code: ")
sts_connection = STSConnection()
tempCredentials = sts_connection.assume_role(
role_arn=role_arn,
role_session_name="AssumeRoleSession1",
mfa_serial_number="arn:aws:iam::account-number-of-bastion-account-here::mfa/my-email-here",
mfa_token=mfa_TOTP
)
assumed_role_session = boto3.Session(
aws_access_key_id=tempCredentials.credentials.access_key,
aws_secret_access_key=tempCredentials.credentials.secret_key,
aws_session_token=tempCredentials.credentials.session_token
)
print(assumed_role_session.client("sts").get_caller_identity())
client = boto3.client('resourcegroupstaggingapi', )
regions = assumed_role_session.get_available_regions('ec2')
for region in regions:
print(region)
try:
client = boto3.client('resourcegroupstaggingapi', region_name=region)
pprint([x.get('ResourceARN') for x in client.get_resources().get('ResourceTagMappingList')])
except ClientError as e:
print(f'Could not connect to region with error: {e}')
print()
當我運行它時,腳本啟動并按預期獲取會話。敏感資訊已洗掉。
? aws git:(master) ? ./list-resources.py
Enter the MFA code: removed
{'UserId': 'alphanumeric-characters-here:AssumeRoleSession1', 'Account': 'account-number-removed', 'Arn': 'arn:aws:sts::account-number-removed:assumed-role/role-name-here/AssumeRoleSession1', 'ResponseMetadata': {'RequestId': 'id-here', 'HTTPStatusCode': 200, 'HTTPHeaders': {'x-amzn-requestid': 'id-here', 'content-type': 'text/xml', 'content-length': '451', 'date': 'Thu, 06 Jan 2022 19:48:11 GMT'}, 'RetryAttempts': 0}}
但是,當它通過區域并嘗試列出資源時,它會出現錯誤,這似乎是因為它仍在使用初始帳戶中的令牌,而不是假定角色會話中的令牌。此外,它列出的資源是針對堡壘帳戶的,而不是假定角色的帳戶。
af-south-1
Could not connect to region with error: An error occurred (UnrecognizedClientException) when calling the GetResources operation: The security token included in the request is invalid.
ap-east-1
Could not connect to region with error: An error occurred (UnrecognizedClientException) when calling the GetResources operation: The security token included in the request is invalid.
ap-northeast-1
[]
...
us-east-1
['arn:aws:cloudwatch:us-east-1:account-number-of-bastion-account-here:alarm:blahblah-development_users-ReadCapacityUnitsLimit-BasicAlarm',
'arn:aws:cloudwatch:us-east-1:account-number-of-bastion-account-here:alarm:blahblahUsers-sk-data-index-WriteCapacityUnitsLimit-BasicAlarm',
'arn:aws:cloudwatch:us-east-1:account-number-of-bastion-account-here:alarm:Users-WriteCapacityUnitsLimit-BasicAlarm',
'arn:aws:cloudwatch:us-east-1:account-number-of-bastion-account-here:alarm:blahblahUsers-ReadCapacityUnitsLimit-BasicAlarm',
'arn:aws:cloudwatch:us-east-1:account-number-of-bastion-account-here:alarm:blahblahUsers-sk-gsiSk-index-ReadCapacityUnitsLimit-BasicAlarm',
'arn:aws:cloudwatch:us-east-1:account-number-of-bastion-account-here:alarm:blahblahUsers-sk-data-index-ReadCapacityUnitsLimit-BasicAlarm',
'arn:aws:cloudwatch:us-east-1:account-number-of-bastion-account-here:alarm:blahblahUsers-sk-gsiSk-index-WriteCapacityUnitsLimit-BasicAlarm',
'arn:aws:cloudwatch:us-east-1:account-number-of-bastion-account-here:alarm:blahblah_development_clinton_test-ReadCapacityUnitsLimit-BasicAlarm',
'arn:aws:cloudwatch:us-east-1:account-number-of-bastion-account-here:alarm:blahblah-development_users-WriteCapacityUnitsLimit-BasicAlarm',
'arn:aws:cloudwatch:us-east-1:account-number-of-bastion-account-here:alarm:blahblah_development_clinton_test-WriteCapacityUnitsLimit-BasicAlarm',
'arn:aws:cloudwatch:us-east-1:account-number-of-bastion-account-here:alarm:blahblah-development_users-sk-index-ReadCapacityUnitsLimit-BasicAlarm',
'arn:aws:cloudwatch:us-east-1:account-number-of-bastion-account-here:alarm:Users-ReadCapacityUnitsLimit-BasicAlarm',
'arn:aws:cloudwatch:us-east-1:account-number-of-bastion-account-here:alarm:blahblah-development_users-sk-index-WriteCapacityUnitsLimit-BasicAlarm',
'arn:aws:cloudwatch:us-east-1:account-number-of-bastion-account-here:alarm:blahblahUsers-WriteCapacityUnitsLimit-BasicAlarm']
....
us-west-2
['arn:aws:networkmanager::account-number-of-bastion-account-here:global-network/global-network-alphanumeric-values-removed']
請注意,我閱讀了How to fetch all aws resources in all region in lambda function, with boto3 lib,我認為我不需要在這里聚合資料;其實,大概是想把他們留在自己的地區。
用于查詢資源的 boto3 客戶端似乎沒有獲得與假定角色相同的憑據(令牌等)。關于我如何做到這一點的任何想法?
uj5u.com熱心網友回復:
將'resourcegroupstaggingapi'要創建客戶的需求assume_role_session,而不是默認boto3的會話:
client = assumed_role_session.client('resourcegroupstaggingapi', region_name=region)
(請注意,您有一個副本client = boto3.client('resourcegroupstaggingapi', ...,可能應該洗掉第一個)
轉載請註明出處,本文鏈接:https://www.uj5u.com/caozuo/405031.html
標籤: