Python 如何在AWS-CDK中获取EC2实例的ARN
我正在CDK中使用CFN实例创建一个EC2实例,我希望稍后在IAM角色中使用ARN,这样我就可以授予该特定资源的权限并避免使用*。如何访问刚刚创建的EC2实例的ARN。代码如下:Python 如何在AWS-CDK中获取EC2实例的ARN,python,amazon-web-services,amazon-ec2,aws-cdk,Python,Amazon Web Services,Amazon Ec2,Aws Cdk,我正在CDK中使用CFN实例创建一个EC2实例,我希望稍后在IAM角色中使用ARN,这样我就可以授予该特定资源的权限并避免使用*。如何访问刚刚创建的EC2实例的ARN。代码如下: instance_profile = self.create_instance_profile() self.instance = ec2.CfnInstance(self, 'Client', image_id = image_id, instance_type = i
instance_profile = self.create_instance_profile()
self.instance = ec2.CfnInstance(self, 'Client',
image_id = image_id,
instance_type = instance_type,
subnet_id = subnet_id,
iam_instance_profile = instance_profile.ref,
security_group_ids = [cluster_security_group_id],
user_data = core.Fn.base64('\n'.join(self.user_data_commands)),
tags = [{ 'key': 'Name', 'value': 'MskEc2Client' }],
)
def create_instance_profile(self):
role = iam.Role(self, 'Role', assumed_by = iam.ServicePrincipal('ec2.amazonaws.com'))
ssm_policy_statement = iam.PolicyStatement(
resources = ['*'], #TODO GIVE PERMISSION TO THE SPECIFIC RESOURCE (EC2)
actions = [
'ssm:UpdateInstanceInformation', 'ssmmessages:CreateControlChannel',
'ssmmessages:CreateDataChannel', 'ssmmessages:OpenControlChannel', 'ssmmessages:OpenDataChannel'])
ssm_policy = iam.Policy(self, 'SessionManagerPolicy', statements = [ssm_policy_statement])
self.add_w12_suppression(ssm_policy, 'Session Manager actions do not support resource level permissions')
ssm_policy.attach_to_role(role)
msk_policy = iam.Policy(self, 'MskPolicy', #TODO GIVE PERMISSION TO SPECIFIC RESOURCES (EC2)
statements = [iam.PolicyStatement(resources = ['*'], actions = ['kafka:DescribeCluster', 'kafka:GetBootstrapBrokers'])]
)
self.add_w12_suppression(msk_policy, 'MSK actions do not support resource level permissions')
msk_policy.attach_to_role(role)
cfn_role = role.node.default_child
return iam.CfnInstanceProfile(self, 'InstanceProfile', roles = [cfn_role.ref])
您可以使用实例的默认值来构建arn以填充资源
ssm\u policy\u语句=iam.policy语句(
resources=[f'arn:{self.partition}:ec2:{self.region}:{self.account}:instance/{self.instance.ref}'],
行动=[
'ssm:UpdateInstanceInformation'、'ssm消息:CreateControlChannel',
“SSM消息:CreateDataChannel”、“SSM消息:OpenControlChannel”、“SSM消息:OpenDataChannel”
]
)