Python boto3 获取组织的所有RDS实例列表

Question

假设我有一个包含 25 个 aws 帐户的组织，其中每个帐户可能包含也可能不包含一些保留的 RDS 实例。 所以我需要使用 boto3 连接我的组织并迭代每个帐户以检查该 RDS 保留实例。 我在单个帐户级别上检查 RDS 实例的操作。

此代码将列出单个帐户中存在的所有 RDS 实例

示例代码

#!/usr/bin/env python
import boto3
client = boto3.client('rds')
response = 
client.describe_db_instances()
for i in response['DBInstances']:
   db_name = i['DBName']
   db_instance_name = i['DBInstanceIdentifier']
   db_type = i['DBInstanceClass']
   db_storage = i['AllocatedStorage']
   db_engine = i['Engine']
   print (db_instance_name,db_type,db_storage,db_engine)

所以我的问题是如何连接到组织级别，列出每个帐户 RDS 保留实例？ 我需要使用什么类型/级别的凭据？

Answer 1

一种方法是使用通用角色。 这种方法的先决条件是，有权进行必要的 API 调用的角色需要存在于属于组织的每个帐户中。 然后，您将承担此通用角色以在目标账户中执行 API 调用。 https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html中概述了这种设置。

有了这个角色，您可以运行 boto3 代码来查找组织中的所有帐户——可能是这样的：

org_client = boto3.client('organizations')
root_id = org_client.list_roots()['Roots'][0]['Id']
LOGGER.info('root ID: %s', root_id)
paginator = org_client.get_paginator('list_organizational_units_for_parent')
response_iterator = paginator.paginate(ParentId=root_id)
for item in response_iterator:
    for ou in item['OrganizationalUnits']:
        ou_paginator = org_client.get_paginator('list_accounts_for_parent')
        ou_response_iterator = ou_paginator.paginate(ParentId=ou['Id'])
        for ou_item in ou_response_iterator:
            for account in ou_item['Accounts']:
                account_id = account['Id']
                //next, assume a role in this account

然后，下一步是担任该角色，其代码类似于https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-api.html中显示的内容。 使用上面的账户 ID 和通用角色名称构建下面的RoleARN ( arn:aws:iam::account-of-role-to-assume:role/name-of-role )：

import boto3

# The calls to AWS STS AssumeRole must be signed with the access key ID
# and secret access key of an existing IAM user or by using existing temporary 
# credentials such as those from another role. (You cannot call AssumeRole 
# with the access key for the root account.) The credentials can be in 
# environment variables or in a configuration file and will be discovered 
# automatically by the boto3.client() function. For more information, see the 
# Python SDK documentation: 
# http://boto3.readthedocs.io/en/latest/reference/services/sts.html#client

# create an STS client object that represents a live connection to the 
# STS service
sts_client = boto3.client('sts')

# Call the assume_role method of the STSConnection object and pass the role
# ARN and a role session name.
assumed_role_object=sts_client.assume_role(
    RoleArn="arn:aws:iam::account-of-role-to-assume:role/name-of-role",
    RoleSessionName="AssumeRoleSession1"
)

# From the response that contains the assumed role, get the temporary 
# credentials that can be used to make subsequent API calls
credentials=assumed_role_object['Credentials']

# Use the temporary credentials that AssumeRole returns to make a 
# connection to Amazon S3  
rds_client=boto3.client(
    'rds',
    aws_access_key_id=credentials['AccessKeyId'],
    aws_secret_access_key=credentials['SecretAccessKey'],
    aws_session_token=credentials['SessionToken'],
)

您可以查询 RDS 以查找任何实例并将找到的任何实例添加到列表中。 完成对组织中所有帐户的迭代后，您应该拥有属于该组织的所有帐户的完整列表。

Answer 2

我在具有多个嵌套节点的组织中尝试了第一个答案的代码，但它不起作用。 也许我错了。 但我找到了一个甚至适用于我正在工作的组织的解决方案：

import boto3

client = boto3.client('organizations', region_name='us-west-2')
paginator = client.get_paginator('list_accounts')
page_iterator = paginator.paginate()

for page in page_iterator:
    for account in page['Accounts']:
        print(account['Id'])
        # assume role and list resources