[英]Work around AWS assume_role session expiration
我正在從 AWS Health API 調用 4 個操作來使用這些循環收集所有發現(我刪除了一些 DynamoDB 片段以使其更清楚)。 問題是腳本需要相當長的時間才能運行,並且由於ExpiredTokenException而在一小時后超時。 我已經嘗試過DurationSeconds ,它固定在 3600。
我能以某種方式解決這個問題嗎? 比如把function拆分成多個函數? 或者那根本行不通?
sts = boto3.client('sts')
# use STS to AssumeRole for the Organization Health Account
memberAcct = sts.assume_role(RoleArn='arn:aws:iam::x:role/Health-Role',RoleSessionName='xacct-health')
# retrieve creds from member account to create new Health Boto3 Client
xAcctAccessKey = memberAcct['Credentials']['AccessKeyId']
xAcctSecretKey = memberAcct['Credentials']['SecretAccessKey']
xAcctSeshToken = memberAcct['Credentials']['SessionToken']
health = boto3.client('health',aws_access_key_id=xAcctAccessKey,aws_secret_access_key=xAcctSecretKey,aws_session_token=xAcctSeshToken)
def health_collect():
try:
paginator = health.get_paginator('describe_events_for_organization')
iterator = paginator.paginate()
for page in iterator:
for e in page['events']:
eventArn = str(e['arn'])
healthEventScope = str(e['eventScopeCode'])
if healthEventScope == 'ACCOUNT_SPECIFIC':
affectedAccounts = health.describe_affected_accounts_for_organization(eventArn=eventArn)['affectedAccounts']
for affectedAcctId in affectedAccounts:
eventDetails = health.describe_event_details_for_organization(
organizationEventDetailFilters=[
{
'eventArn': eventArn,
'awsAccountId': affectedAcctId
}
]
)
eventDescription = str(eventDetails['successfulSet'][0]['eventDescription']['latestDescription'])
entityDetails = health.describe_affected_entities_for_organization(
organizationEntityFilters=[
{
'eventArn': eventArn,
'awsAccountId': affectedAcctId
}
]
)
entityValue = str(entityDetails['entities'][0]['entityValue'])
if entityValue == 'AWS_ACCOUNT':
entityValue = affectedAcctId
else:
else:
affectedAccounts = 'ALL'
entityArn = 'NOT_SPECIFIC'
entityValue = 'NOT_SPECIFIC'
eventDetails = health.describe_event_details_for_organization(organizationEventDetailFilters=[{'eventArn': eventArn}])
eventDescription = str(eventDetails['successfulSet'][0]['eventDescription']['latestDescription'])
except Exception as e:
print(e)
health_collect()
這個問題GitHub上已經有issue了。
在適當的時候自動使用 RefreshableCredentials #2158
同時,有一些中間解決方法,我認為您可以通過botocore中的 RefreshableCredentials class 結合get_session方法。
...
def assumed_session(role_arn, session_name, session=None):
if session is None:
session = Session()
def refresh():
# call assume role and return a dict of
# access_key
# secret
# token
session_credentials = RefreshableCredentials.create_from_metadata(
metadata=refresh(),
refresh_using=refresh,
method='sts-assume-role')
s = get_session()
s._credentials = session_credentials
region = session._session.get_config_variable('region') or 'us-east-1'
s.set_config_variable('region', region)
return Session(botocore_session=s)
上面代碼的工作版本可以在這個要點中找到
assume_role不返回,lambda超時(關鍵字:aws boto3 sts lambda python3.6)
[英]assume_role does not return and lambda times out (keywords: aws boto3 sts lambda python3.6)
即使使用服務主體從 EC2 調用 Boto3 assume_role 時 AccessDenied
[英]AccessDenied when calling Boto3 assume_role from EC2 even with service principal
創建一個函數以在 PowerShell $PROFILE 中擔任 AWS STS 角色
[英]Creating a function to assume an AWS STS role in PowerShell $PROFILE
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.