[英]Copy from S3 bucket in one account to S3 bucket in another account using Boto3 in AWS Lambda
[英]Copy AMI from one AWS account to another AWS account using boto
我做了一些 RnD,但没有找到关于这个主题的任何答案或提示。 如果可以使用 boto 将 AMI 从一个 AWS 账户复制到另一个账户,任何人都可以给出提示或答案。
您不能直接将 AMI 从一个账户复制到另一个账户,但可以与其他账户共享 AMI,然后在本地复制第二个账户中的映像。 方法如下:
# Copying image from src_account to dest_account
SRC_ACCOUNT_ID = '111111'
DEST_ACCOUNT_ID = '222222'
IMAGE_ID = '333333'
SRC_REGION = 'us-west-1'
DEST_REGION = 'us-east-1'
# Create CrossAccountole Role in src_account which will give permission to operations in the acount
sts = boto3.client('sts')
credentials = sts.assume_role(
RoleArn='arn:aws:iam::'+SRC_ACCOUNT_ID +':role/CrossAccountRole',
RoleSessionName="RoleSession1"
)['Credentials']
ec2 = boto3.resource('ec2', region_name=SRC_REGION,
aws_access_key_id = credentials['AccessKeyId'],
aws_secret_access_key = credentials['SecretAccessKey'],
aws_session_token = credentials['SessionToken']
)
# Access the image that needs to be copied
image = ec2.Image(IMAGE_ID)
# Share the image with the destination account
image.modify_attribute(
ImageId = image.id,
Attribute = 'launchPermission',
OperationType = 'add',
LaunchPermission = {
'Add' : [{ 'UserId': DEST_ACCOUNT_ID }]
}
)
# We have to now share the snapshots associated with the AMI so it can be copied
devices = image.block_device_mappings
for device in devices:
if 'Ebs' in device:
snapshot_id = device["Ebs"]["SnapshotId"]
snapshot = ec2.Snapshot(snapshot_id)
snapshot.modify_attribute(
Attribute = 'createVolumePermission',
CreateVolumePermission = {
'Add' : [{ 'UserId': DEST_ACCOUNT_ID }]
},
OperationType = 'add',
)
# Access destination account so we can now copy the image
credentials = sts.assume_role(
RoleArn='arn:aws:iam::'+DEST_ACCOUNT_ID+':role/CrossAccountRole',
RoleSessionName="RoleSession1"
)['Credentials']
# Copy image to failover regions
ec2fra = boto3.client('ec2', DEST_REGION,
aws_access_key_id = credentials['AccessKeyId'],
aws_secret_access_key = credentials['SecretAccessKey'],
aws_session_token = credentials['SessionToken']
)
# Copy the shared AMI to dest region
ec2fra.copy_image(
Name = 'MY_COPIED_IMAGE_FROM_OTHER_ACCOUNT',
SourceImageId = image.id,
SourceRegion = SRC_REGION
)
就是这样,很简单:)
在这里阅读命令
无法复制 AMI,但您可以像@byumark 所说的那样共享它。 使用 boto3 共享非常容易。 我不会像他那样使用客户端,我会使用资源。
现在,如果处理加密的 AMI 有点棘手。 您需要允许访问用于加密的 CMK,共享快照本身而不是 ami。 然后复制快照并在复制时再次设置加密以确保其使用目标帐户默认 KMS 密钥进行加密。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.