[英]How to get temporary IAM programmatic access using IAM role without setting up aws configure?
如何在不设置 aws configure 的情况下使用 IAM 角色获得临时 IAM 编程访问?
python中的答案会有所帮助
如果你有请粘贴我完整的代码。
(base) [root@ip-172-31-39-101 ec2-user]# cat role.py
import boto3
import botocore
account_no=7439222006066 # another account number
role_name='iamest' # another account role
sts_client = boto3.client('sts')
assume_role_response = sts_client.assume_role(
RoleArn = 'arn:aws:iam::{0}:role/{1}'.format(account_no,role_name),
RoleSessionName = 'CloudWatchMetricRoleSession',
DurationSeconds = 900,
#ExternalId = '9949183895'
)
#Below session is required to create request using temporary credentials generated.
session = boto3.Session(
aws_access_key_id = assume_role_response['Credentials']['AccessKeyId'],
aws_secret_access_key = assume_role_response['Credentials']['SecretAccessKey'],
aws_session_token = assume_role_response['Credentials']['SessionToken']
)
#print('your keys are here:', session)
#below we are specifying region for temporary credentials stored in 'session' same like we #configure region in 'aws configure'
cloudwatch_client = session.client('cloudwatch',
region_name = 'us-east-1'
)
all_metric_items = []
# using temporary credentials for a request.
cpu_util_metrices_response = cloudwatch_client.list_metrics(
Namespace = 'AWS/EC2',
MetricName = 'CPUUtilization',
Dimensions = [
{
'Name': 'i-00a2e99dc0855d2b7',
'Value': 'us-east-1'
}
]
)
print (cpu_util_metrices_response)
注意: 1)必须为跨帐户创建另一个帐户角色,并在信任关系策略中添加您正在点击请求的 aws 帐户的帐户 ID。 2) 您运行 aws 请求的服务器应该定义了“aws configure”,以便请求另一个 aws 帐户临时访问密钥。 3) 同一个账户不能为请求其资源生成临时访问密钥
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.