stackoom
  简体   繁体   中英

Boto3 Assume Role locally as ECS task will Do for testing purposes

 原文  2021-07-02 13:09:12       python/ amazon-web-services/ flask/ boto3

Question

I am currently working on the development of a flask application that will be deployed in ECS using boto3 and python.

Currently, for the development of it, I have a python env where I program the different functionalities and interact with the boto3 API assuming roles using the profiles in the .aws / credentials file:

iam = boto3.Session (profile_name = "account_alias", region_name = 'eu-west-1'). client ('iam')

However, to deploy it in the ECS I have to change all these sessions to something like this so that it is assumed by the role of the task:

try:
    sts_client = boto3.client ('sts')
    assumed_role_object = sts_client.assume_role (
        RoleArn = "arn: aws: iam ::" + str (Account) + ": role /" + str (Role)
except Exception as e:
    logging.exception ("Could NOT assume role in account:% s", Account)

credentials = assumed_role_object ['Credentials']

boto3_session = boto3.session.Session (
    aws_access_key_id = credentials ['AccessKeyId'],
    aws_secret_access_key = credentials ['SecretAccessKey'],
    aws_session_token = credentials ['SessionToken'],
)

This makes it unable to test it locally (impossible to assume) and leads to numerous errors when deploying it (creating the ECR without testing it).

Is there a way to assume roles without profiles locally in the same way that the task will in the ECS?

Thank you.

1 answers

solution1
 0  2021-07-02 15:08:17

I recommend you make a consistently-named role that will exist in all the target accounts. Make the trust policy of that role such that your own credentials can assume it (access key and secret that you are using for your default profile). Then you can use the same logic to assume a role during your local development and not have to change anything. Essentially, instead of using local profiles with different credentials, you would use a single credential that has permission to assume a role in every target account. I've worked in an environment with the same problem, and doing this allows me to have the same local code that I deploy.

There's no reason your local code can't also assume a role, and if there are concerns about making a role that you can assume in all those target accounts just consider that by using different profiles (with, I assume, different credentials) you must already have access to do the things you would be doing by assuming the role. If the role has more permissions than you should have, then make a new role so you assume different roles locally and in AWS. But at least that will allow you to use the same code--just with a different role name variable passed in.

You'll either need to make ECR usage use profiles or make localhost usage assume roles if you want the code to be the same, and I believe it is easier to make localhost usage assume roles than to get your ECR tasks set up to use profiles.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question AWS ECS - How to pass task's execution role to Boto3? assume-role-with-web-identity with boto3 AWS assume role not working as expected with boto3 do you have to pass SSO profile credentials in order to assume the IAM role using boto3 Boto3: How to assume IAM Role to access other account Boto3 ECS Fargate: how to wait until task arn is available AWS ECS - Using Boto3 to update a task definition How to mock in python unit tests aws-assume-role-lib and boto3 libraries? AccessDenied when calling Boto3 assume_role from EC2 even with service principal boto3 waiter for ECS ServicesStable
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM