运行Boto功能所需的最低IAM策略
[英]Minimum IAM policy required to run Boto functions
问题描述
I'm trying to run some boto functions in a python script. 
我正在尝试在python脚本中运行一些boto函数。 I need to create an IAM policy with the minimum required permissions to execute those boto functions. 我需要创建具有最低权限的IAM策略,以执行这些Boto功能。 Is there a good way I can relate those boto functions to the AWS IAM permissions that I'd need to execute them. 有什么好方法可以将这些boto函数与执行它们所需的AWS IAM权限相关联。
For example, here are the boto modules (python) I have. 例如,这是我拥有的boto模块(python)。 What IAM permissions would a user need to run them? 用户需要什么IAM权限才能运行它们? Is there a good way to find this? 有找到这个的好方法吗?
boto.ec2.autoscale.connect_to_region
boto.ec2.elb.connect_to_region
boto.ec2.connect_to_region
boto.ec2.instance.Instance
boto.ec2.elb.loadbalancer.LoadBalancer
boto.ec2.autoscale.group.AutoScalingGroup
1 个解决方案
解决方案1
1 已采纳 2019-02-16 05:43:39
There is no 1:1 correlation between the functions you listed and an API call to AWS. 您列出的功能与对AWS的API调用之间没有1:1的关联。
If you use a client function, then you need the specific permission for that function, such as: 如果使用client功能,则需要该功能的特定权限,例如:
response = ec2_client.describe_instances()
This command would require ec2:DescribeInstances permission. 此命令将需要ec2:DescribeInstances权限。
boto3 also provides resource functions that provide a more object-like experience, such as: boto3还提供了resource功能,它们提供了更类似于对象的体验,例如:
instance = ec2_resource.Instance('id')
Such functions could call any number of underlying API calls, so it is not easy to determine the permissions required for such calls. 此类函数可以调用任意数量的基础API调用,因此要确定此类调用所需的权限并不容易。
You can use AWS CloudTrail to view the underlying API calls that were made, so that permissions can be determined. 您可以使用AWS CloudTrail查看进行的基础API调用,以便可以确定权限。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.