Python获取组织的所有boto3实例列表。
假设我有一个包含25个aws帐户的组织,其中每个帐户可能包含或不包含一些保留的RDS实例。因此,我需要使用boto3连接我的组织,并迭代每个帐户来检查RDS保留的实例。我在一个帐户级别上做什么来检查RDS实例。
此代码将列出单个帐户中存在的所有RDS实例。
示例代码
#!/usr/bin/env python
import boto3
client = boto3.client('rds')
response =
client.describe_db_instances()
for i in response['DBInstances']:
db_name = i['DBName']
db_instance_name = i['DBInstanceIdentifier']
db_type = i['DBInstanceClass']
db_storage = i['AllocatedStorage']
db_engine = i['Engine']
print (db_instance_name,db_type,db_storage,db_engine)那么,我的问题是如何连接到组织级别,列出每个帐户RDS保留的实例?我需要使用什么类型/级别的凭据?
回答 2
Stack Overflow用户
发布于 2022-03-14 17:27:15
这样做的一种方法是使用公共角色。这种方法的先决条件是,有权进行必要的API调用的角色需要存在于属于组织的每个帐户中。然后,您将承担起在目标帐户中执行API调用的公共角色。这类设置在https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html中进行了概述。
有了这个角色,您就可以运行boto3代码来查找组织中的所有帐户--可能是这样的:
org_client = boto3.client('organizations')
root_id = org_client.list_roots()['Roots'][0]['Id']
LOGGER.info('root ID: %s', root_id)
paginator = org_client.get_paginator('list_organizational_units_for_parent')
response_iterator = paginator.paginate(ParentId=root_id)
for item in response_iterator:
for ou in item['OrganizationalUnits']:
ou_paginator = org_client.get_paginator('list_accounts_for_parent')
ou_response_iterator = ou_paginator.paginate(ParentId=ou['Id'])
for ou_item in ou_response_iterator:
for account in ou_item['Accounts']:
account_id = account['Id']
//next, assume a role in this account然后,下一步是使用类似于https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-api.html中显示的代码来承担这个角色。使用上面的帐户ID和通用角色名构建下面的RoleARN (arn:aws:iam::account-of-role-to-assume:role/name-of-role):
import boto3
# The calls to AWS STS AssumeRole must be signed with the access key ID
# and secret access key of an existing IAM user or by using existing temporary
# credentials such as those from another role. (You cannot call AssumeRole
# with the access key for the root account.) The credentials can be in
# environment variables or in a configuration file and will be discovered
# automatically by the boto3.client() function. For more information, see the
# Python SDK documentation:
# http://boto3.readthedocs.io/en/latest/reference/services/sts.html#client
# create an STS client object that represents a live connection to the
# STS service
sts_client = boto3.client('sts')
# Call the assume_role method of the STSConnection object and pass the role
# ARN and a role session name.
assumed_role_object=sts_client.assume_role(
RoleArn="arn:aws:iam::account-of-role-to-assume:role/name-of-role",
RoleSessionName="AssumeRoleSession1"
)
# From the response that contains the assumed role, get the temporary
# credentials that can be used to make subsequent API calls
credentials=assumed_role_object['Credentials']
# Use the temporary credentials that AssumeRole returns to make a
# connection to Amazon S3
rds_client=boto3.client(
'rds',
aws_access_key_id=credentials['AccessKeyId'],
aws_secret_access_key=credentials['SecretAccessKey'],
aws_session_token=credentials['SessionToken'],
)您可以查询RDS以查找任何实例,并将找到的任何实例添加到列表中。完成组织中所有帐户的迭代之后,您应该在属于该组织的所有帐户中有一个完整的列表。
Stack Overflow用户
发布于 2022-07-13 20:26:06
我在一个有几个嵌套节点的组织中尝试了第一个答案的代码,但它没有工作。也许我错了。但我找到了一种解决方案,即使对我所从事的组织也是如此:
import boto3
client = boto3.client('organizations', region_name='us-west-2')
paginator = client.get_paginator('list_accounts')
page_iterator = paginator.paginate()
for page in page_iterator:
for account in page['Accounts']:
print(account['Id'])
# assume role and list resourceshttps://stackoverflow.com/questions/71471571
复制相似问题
腾讯云开发者
