stackoom
  简体   繁体   中英

List resource for child account from master account using boto3?

 原文  2019-06-24 21:50:35       python/ amazon-web-services/ boto3/ aws-organizations

Question

I am using python and boto3 to list resource that my organization has. I am listing the resources from my master account without a problem but I also need to list the resource from the child accounts as well. I can get the child account ID's but that's pretty much it.

Any help?

1 answers

solution1
 1  2019-06-24 22:51:26

You will need access to a set of credentials that belong to the child account.

From Accessing and Administering the Member Accounts in Your Organization - AWS Organizations :

When you create a member account using the AWS Organizations console, AWS Organizations automatically creates an IAM role in the account. This role has full administrative permissions in the member account. The role is also configured to grant that access to the organization's master account.

To use this role to access the member account, you must sign in as a user from the master account that has permissions to assume the role.

So, you can assume the IAM Role in the child account , which then provides a set of temporary credentials that can be used with boto3 to make API calls to the child account.

import boto3

role_info = {
    'RoleArn': 'arn:aws:iam::<AWS_ACCOUNT_NUMBER>:role/<AWS_ROLE_NAME>',
    'RoleSessionName': '<SOME_SESSION_NAME>'
}

client = boto3.client('sts')
credentials = client.assume_role(**role_info)

session = boto3.session.Session(
    aws_access_key_id=credentials['Credentials']['AccessKeyId'],
    aws_secret_access_key=credentials['Credentials']['SecretAccessKey'],
    aws_session_token=credentials['Credentials']['SessionToken']
)

An easier way is to put the role in your .aws/config file as a new profile. Then, you can specify a profile when making function calls:

# In ~/.aws/credentials:
[master]
aws_access_key_id=foo
aws_secret_access_key=bar

# In ~/.aws/config
[profile child1]
role_arn=arn:aws:iam:...
source_profile=master

Use it like this:

session = boto3.session.Session(profile_name='dev')
s3 = session.client('s3')

See: How to choose an AWS profile when using boto3 to connect to CloudFront

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question list of untagges ec2 instances in aws account using boto3 boto3 list all security groups for AWS account AWS : Python Script to Retrieve list of S3 bucket having Cross account access using boto3 Move all files in s3 bucket from s3 account to another using boto3 How generate EC2 inventory from multiple AWS Account using python boto3 boto3 to automate getting info from all AWS account Copy from S3 bucket in one account to S3 bucket in another account using Boto3 in AWS Lambda How to get only KMS Customer managed keys alone from AWS Account using python boto3? Is there any boto3 function/API available to copy snapshot from one AWS account to other AWS account? I want to copy DynamoDB table from one account to another using boto3 in python. but error is showing up
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM