Accessing multiple AWS accounts using boto3 without secret key?
Question
I wrote a python script which is deployed in a EC2 Instance and lets say this EC2 reside in AWS account A1 . Now my script from A1 want to access 10 other AWS account.
And remember I don't have any AWS_ACCESS_KEY or SECRET_KEY of any account cause using AWS_ACCESS_KEY or SECRET_KEY is strictly prohibited here.
I can easily do that if I have access key. But I can't figure it out how can I do that without access key?
Is there any possible way to do that?
3 answers
solution1
2 2020-09-09 11:58:29
The EC2 should assume an IAM Role.
Then log in to all your 10 other accounts and create roles there. These roles should give cross account access to the EC2 instance role. It is also in these roles that you define what permissions the EC2 instance should have.
solution2
1 2020-09-09 11:50:15
Storing AWS_ACCESS_KEY and AWS_SECRET_KEY in your code or EC2 instances is generally considered a bad practice.
You should handle permissions by attaching an IAM Role to the EC2 instance that is running your business logic ( Docs here ).
By doing that you will then need an appropriate IAM Role that has enough rights to perform the actions you need in the other accounts ( Docs here ).
solution3
0 2020-09-09 11:50:36
You can do by assuming an IAM role. https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.