Fatal编程技术网
  • python/
  • Python 如何在AWS-CDK中获取EC2实例的ARN

Python 如何在AWS-CDK中获取EC2实例的ARN

python amazon-web-services amazon-ec2

Python 如何在AWS-CDK中获取EC2实例的ARN,python,amazon-web-services,amazon-ec2,aws-cdk,Python,Amazon Web Services,Amazon Ec2,Aws Cdk,我正在CDK中使用CFN实例创建一个EC2实例,我希望稍后在IAM角色中使用ARN,这样我就可以授予该特定资源的权限并避免使用*。如何访问刚刚创建的EC2实例的ARN。代码如下: instance_profile = self.create_instance_profile() self.instance = ec2.CfnInstance(self, 'Client', image_id = image_id, instance_type = i

我正在CDK中使用CFN实例创建一个EC2实例,我希望稍后在IAM角色中使用ARN,这样我就可以授予该特定资源的权限并避免使用*。如何访问刚刚创建的EC2实例的ARN。代码如下:

    instance_profile = self.create_instance_profile()
    self.instance = ec2.CfnInstance(self, 'Client',
        image_id = image_id,
        instance_type = instance_type,
        subnet_id = subnet_id,
        iam_instance_profile = instance_profile.ref,
        security_group_ids = [cluster_security_group_id],
        user_data = core.Fn.base64('\n'.join(self.user_data_commands)),
        tags = [{ 'key': 'Name', 'value': 'MskEc2Client' }],
    )


 def create_instance_profile(self):
    role = iam.Role(self, 'Role', assumed_by = iam.ServicePrincipal('ec2.amazonaws.com'))
    ssm_policy_statement = iam.PolicyStatement(
        resources = ['*'],  #TODO GIVE PERMISSION TO THE SPECIFIC RESOURCE (EC2)
        actions = [
            'ssm:UpdateInstanceInformation', 'ssmmessages:CreateControlChannel', 
            'ssmmessages:CreateDataChannel', 'ssmmessages:OpenControlChannel', 'ssmmessages:OpenDataChannel'])

    ssm_policy = iam.Policy(self, 'SessionManagerPolicy', statements = [ssm_policy_statement])
    self.add_w12_suppression(ssm_policy, 'Session Manager actions do not support resource level permissions')
    ssm_policy.attach_to_role(role)

    msk_policy = iam.Policy(self, 'MskPolicy', #TODO GIVE PERMISSION TO SPECIFIC RESOURCES (EC2)
        statements = [iam.PolicyStatement(resources = ['*'], actions = ['kafka:DescribeCluster', 'kafka:GetBootstrapBrokers'])]
    )

    self.add_w12_suppression(msk_policy, 'MSK actions do not support resource level permissions')
    msk_policy.attach_to_role(role)

    cfn_role = role.node.default_child
    return iam.CfnInstanceProfile(self, 'InstanceProfile', roles = [cfn_role.ref])
您可以使用实例的默认值来构建arn以填充资源

ssm\u policy\u语句=iam.policy语句(
resources=[f'arn:{self.partition}:ec2:{self.region}:{self.account}:instance/{self.instance.ref}'],
行动=[
'ssm:UpdateInstanceInformation'、'ssm消息:CreateControlChannel',
“SSM消息:CreateDataChannel”、“SSM消息:OpenControlChannel”、“SSM消息:OpenDataChannel”
]
)