Warning: file_get_contents(/data/phpspider/zhask/data//catemap/1/amazon-web-services/12.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181
Python AWS承担的角色与boto3不符合预期_Python_Amazon Web Services_Boto3_Amazon Iam_Ssm - Fatal编程技术网
Fatal编程技术网
  • python/
  • Python AWS承担的角色与boto3不符合预期

Python AWS承担的角色与boto3不符合预期

python amazon-web-services

Python AWS承担的角色与boto3不符合预期,python,amazon-web-services,boto3,amazon-iam,ssm,Python,Amazon Web Services,Boto3,Amazon Iam,Ssm,我想使用aws SSM执行SSM:通过假设已定义以下策略的IAM角色(IAM_SSM_角色),描述ec2实例(I-0691847a77)上的安装信息 两个IAM角色位于同一aws帐户上&IAM_基本角色arn已作为受信任策略添加到IAM_ssm_角色中 { "Sid": "VisualEditor1", "Effect": "Allow", "Action": [ "ssm:*", "ec2

我想使用aws SSM执行SSM:通过假设已定义以下策略的IAM角色(IAM_SSM_角色),描述ec2实例(I-0691847a77)上的安装信息

两个IAM角色位于同一aws帐户上&IAM_基本角色arn已作为受信任策略添加到IAM_ssm_角色中

     {
        "Sid": "VisualEditor1",
        "Effect": "Allow",
        "Action": [
            "ssm:*",
            "ec2:DescribeImages",
            "cloudwatch:PutMetricData",
            "ec2:DescribeInstances",
            "lambda:InvokeFunction",
            "ec2:DescribeTags",
            "ec2:DescribeVpcs",
            "cloudwatch:GetMetricStatistics",
            "ec2:DescribeSubnets",
            "ec2:DescribeKeyPairs",
            "cloudwatch:ListMetrics",
            "ec2:DescribeSecurityGroups"
        ],
        "Resource": "*"
    }
我使用IAM角色(IAM_base_角色)在ec2实例上运行以下代码

我收到拒绝访问错误,假定的角色显示为“iam_ssm_角色”,但看起来ssm正在使用iam_基本角色而不是iam_ssm_角色运行

AROAV6BDS6PTVQBU:iam_ssm_role

botocore.exceptions.ClientError: An error occurred (AccessDeniedException) when calling the DescribeInstanceInformation operation: User: arn:aws:sts::000001:assumed-role/iam_base_role/i-0691847a77 is not authorized to perform: ssm:DescribeInstanceInformation on resource: arn:aws:ssm:us-east-1:000001:*
好的,我发现我以前的代码有问题,我没有在bot3.client SSM部分中使用假定的iam角色的凭据

我现在可以成功运行代码了,我正在使用下面的代码

import boto3

boto_sts=boto3.client('sts')
stsresponse = boto_sts.assume_role(
    RoleArn="arn:aws:iam::000001:role/iam_ssm_role",
    RoleSessionName='newsession'
)

newsession_id = stsresponse["Credentials"]["AccessKeyId"]
newsession_key = stsresponse["Credentials"]["SecretAccessKey"]
newsession_token = stsresponse["Credentials"]["SessionToken"]


client = boto3.client('ssm', 
                      region_name = 'us-east-1',
                      aws_access_key_id=newsession_id,
                      aws_secret_access_key=newsession_key,
                      aws_session_token=newsession_token)

ssm_response = client.describe_instance_information(
    InstanceInformationFilterList=[
        {
            'key': 'InstanceIds',
            'valueSet': [
                'i-0f0099877fgg'
            ]
        }
    ]
)

print(ssm_response)

import boto3

boto_sts=boto3.client('sts')
stsresponse = boto_sts.assume_role(
    RoleArn="arn:aws:iam::000001:role/iam_ssm_role",
    RoleSessionName='newsession'
)

newsession_id = stsresponse["Credentials"]["AccessKeyId"]
newsession_key = stsresponse["Credentials"]["SecretAccessKey"]
newsession_token = stsresponse["Credentials"]["SessionToken"]


client = boto3.client('ssm', 
                      region_name = 'us-east-1',
                      aws_access_key_id=newsession_id,
                      aws_secret_access_key=newsession_key,
                      aws_session_token=newsession_token)

ssm_response = client.describe_instance_information(
    InstanceInformationFilterList=[
        {
            'key': 'InstanceIds',
            'valueSet': [
                'i-0f0099877fgg'
            ]
        }
    ]
)

print(ssm_response)