如何在 AWS 上创建临时安全凭证
[英]How to create Temporary Security Credentials on AWS
问题描述
I'm trying to use Apache Libcloud (Web) and reading the Documentation of how to use it with Amazon EC2 I'm stuck on a step at the beginning.
我正在尝试使用Apache Libcloud (Web)并阅读有关如何将其与 Amazon EC2 一起使用的文档,但我在开始时遇到了一个步骤。
On this step:在这一步:
from libcloud.compute.types import Provider
from libcloud.compute.providers import get_driver
cls = get_driver(Provider.EC2)
driver = cls('temporary access key', 'temporary secret key',
token='temporary session token', region="us-west-1")
You need to pass the temporary access data and tells you to read Amazon Documentation but also I've read the documentation I don't get very clear what I have to do to get my temporal credentials.您需要传递临时访问数据并告诉您阅读亚马逊文档但我也阅读了文档我不太清楚我必须做什么才能获得我的临时凭证。
On the doc says that you can interact with the AWS STS API to connect to the endpoint but I don't understand how do you get the credentials.在文档上说您可以与AWS STS API交互以连接到端点,但我不明白您如何获得凭证。 Moreover, on the example of Libcloud Web they use the personal credentials:此外,在 Libcloud Web 的示例中,他们使用个人凭据:
ACCESS_ID = 'your access id'
SECRET_KEY = 'your secret key'
So I'm a bit lost.所以我有点失落。 How I can get my temporal credentials to use it on my code?我如何获得我的临时凭证以在我的代码中使用它?
Thanks and regards.谢谢和问候。
2 个解决方案
解决方案1
1 已采纳 2016-07-27 17:55:49
If this code does not run on an EC2 instance I suggest you go with static credentials:如果此代码不在 EC2 实例上运行,我建议您使用静态凭据:
ACCESS_ID = 'your access id'
SECRET_KEY = 'your secret key'
cls = get_driver(Provider.EC2)
driver = cls(ACCESS_ID, SECRET_KEY, region="us-west-1")
to create access credentials:创建访问凭据:
- Sign in to the Identity and Access Management (IAM) console at https://console.aws.amazon.com/iam/ .通过https://console.aws.amazon.com/iam/登录到 Identity and Access Management (IAM) 控制台。
- In the navigation pane, choose Users.在导航窗格中,选择用户。
- Choose the name of the desired user, and then choose the Security Credentials tab.选择所需用户的名称,然后选择 Security Credentials 选项卡。
If needed, expand the Access Keys section and do any of the following:如果需要,展开访问密钥部分并执行以下任一操作:
Choose Create Access Key and then choose Download Credentials to save the access key ID and secret access key to a CSV file on your computer.选择 Create Access Key,然后选择 Download Credentials 以将访问密钥 ID 和秘密访问密钥保存到您计算机上的 CSV 文件中。 Store the file in a secure location.将文件存储在安全的位置。 You will not have access to the secret access key again after this dialog box closes.此对话框关闭后,您将无法再次访问秘密访问密钥。 After you have downloaded the CSV file, choose Close.下载 CSV 文件后,选择关闭。
if you want to run your code from an EC2 machine you can get temporary credentials by assuming an IAM role using the AWS SDK for Python https://boto3.readthedocs.io/en/latest/guide/quickstart.html by calling assume_role() on the STS service https://boto3.readthedocs.io/en/latest/reference/services/sts.html如果您想从 EC2 机器运行您的代码,您可以通过使用适用于 Python 的 AWS 开发工具包https://boto3.readthedocs.io/en/latest/guide/quickstart.html通过调用假设角色( ) 关于 STS 服务https://boto3.readthedocs.io/en/latest/reference/services/sts.html
解决方案2
1 2020-03-21 14:34:15
@Aker666 from what I have found on the web, you're still expected to use the regular AWS api to obtain this information. @Aker666 从我在网上找到的内容来看,您仍然需要使用常规的 AWS api 来获取此信息。
The basic snippet that works for me is:对我有用的基本片段是:
import boto3
from libcloud.compute.types import Provider
from libcloud.compute.providers import get_driver
boto3.setup_default_session(aws_access_key_id='somekey',aws_secret_access_key='somesecret',region_name="eu-west-1")
sts_client = boto3.client('sts')
assumed_role_object = sts_client.assume_role(
RoleArn="arn:aws:iam::701********:role/iTerm_RO_from_TGT",
RoleSessionName='update-cloud-hosts.aviadraviv@Aviads-MacBook-Pro.local'
)
cls = get_driver(Provider.EC2)
driver = cls(assumed_role_object['Credentials']['AccessKeyId'], assumed_role_object['Credentials']['SecretAccessKey'],
token=assumed_role_object['Credentials']['SessionToken'], region="eu-west-1")
nodes = driver.list_nodes()
print(nodes)
Hope this helps anyone.希望这可以帮助任何人。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.