Boto3 在本地承担角色，因为 ECS 任务将用于测试目的

Question

I am currently working on the development of a flask application that will be deployed in ECS using boto3 and python.

Currently, for the development of it, I have a python env where I program the different functionalities and interact with the boto3 API assuming roles using the profiles in the .aws / credentials file:

iam = boto3.Session (profile_name = "account_alias", region_name = 'eu-west-1'). client ('iam')

However, to deploy it in the ECS I have to change all these sessions to something like this so that it is assumed by the role of the task:

try:
    sts_client = boto3.client ('sts')
    assumed_role_object = sts_client.assume_role (
        RoleArn = "arn: aws: iam ::" + str (Account) + ": role /" + str (Role)
except Exception as e:
    logging.exception ("Could NOT assume role in account:% s", Account)

credentials = assumed_role_object ['Credentials']

boto3_session = boto3.session.Session (
    aws_access_key_id = credentials ['AccessKeyId'],
    aws_secret_access_key = credentials ['SecretAccessKey'],
    aws_session_token = credentials ['SessionToken'],
)

This makes it unable to test it locally (impossible to assume) and leads to numerous errors when deploying it (creating the ECR without testing it).

Is there a way to assume roles without profiles locally in the same way that the task will in the ECS?

Thank you.

Answer 1

I recommend you make a consistently-named role that will exist in all the target accounts. Make the trust policy of that role such that your own credentials can assume it (access key and secret that you are using for your default profile). Then you can use the same logic to assume a role during your local development and not have to change anything. Essentially, instead of using local profiles with different credentials, you would use a single credential that has permission to assume a role in every target account. I've worked in an environment with the same problem, and doing this allows me to have the same local code that I deploy.

There's no reason your local code can't also assume a role, and if there are concerns about making a role that you can assume in all those target accounts just consider that by using different profiles (with, I assume, different credentials) you must already have access to do the things you would be doing by assuming the role. If the role has more permissions than you should have, then make a new role so you assume different roles locally and in AWS. But at least that will allow you to use the same code--just with a different role name variable passed in.

You'll either need to make ECR usage use profiles or make localhost usage assume roles if you want the code to be the same, and I believe it is easier to make localhost usage assume roles than to get your ECR tasks set up to use profiles.