如何在没有AWS Vault的情况下使用boto3?
[英]How to use boto3 without AWS Vault?
问题描述
I have the following method that is working in Python: 
我有以下在Python中工作的方法:
def connect_s3_boto3():
try:
os.environ['AWS_PROFILE'] = "a9e"
s3 = boto3.resource('s3')
return s3
except:
raise
The issue is that works using ~/.aws/config : 问题是使用~/.aws/config可以正常工作:
[profile home]
aws_access_key_id=ID
aws_secret_access_key=SECRET
[profile a9e]
region=eu-west-1
role_arn=DAROLE
source_profile=home
So, I've a set of doubts. 因此,我有一系列疑问。 In a production environment where I want to use that method, I need to set AWS Vault? 在要使用该方法的生产环境中,需要设置AWS Vault? There is no other alternative? 有没有其他选择? For example using IAM_ROLE as in boto2 . 例如使用IAM_ROLE如boto2 。
1 个解决方案
解决方案1
1 已采纳 2019-04-16 21:56:38
For code running on an Amazon EC2 instance: 对于在Amazon EC2实例上运行的代码:
- Create an IAM Role and assign appropriate permissions 创建IAM角色并分配适当的权限
- Associate the role with an Amazon EC2 instance 将角色与Amazon EC2实例相关联
- Any code running on the instance that calls an AWS SDK will automatically obtain credentials associated with the role 在调用AWS开发工具包的实例上运行的任何代码将自动获取与角色相关联的凭证
- There is no need to put Access Key, Secret Key nor Role in the config/credentials files 无需在配置/凭证文件中放置访问密钥,秘密密钥或角色
See: IAM Roles for Amazon EC2 - Amazon Elastic Compute Cloud 请参阅: Amazon EC2的IAM角色-Amazon Elastic Compute Cloud
If you are running code on a non-EC2 computer, then you will need entries in the config/credentials files. 如果在非EC2计算机上运行代码,则需要在config / credentials文件中输入条目。 This will involve at minimum an Access Key and Secret Key associated with an IAM User. 这将至少涉及与IAM用户关联的访问密钥和秘密密钥。 If you then wish to use an IAM Role, the code would need to AssumeRole() using those credentials. 如果您随后希望使用IAM角色,则代码将需要使用这些凭据进行AssumeRole() 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.