Python AWS承担的角色与boto3不符合预期
我想使用aws SSM执行SSM:通过假设已定义以下策略的IAM角色(IAM_SSM_角色),描述ec2实例(I-0691847a77)上的安装信息 两个IAM角色位于同一aws帐户上&IAM_基本角色arn已作为受信任策略添加到IAM_ssm_角色中Python AWS承担的角色与boto3不符合预期,python,amazon-web-services,boto3,amazon-iam,ssm,Python,Amazon Web Services,Boto3,Amazon Iam,Ssm,我想使用aws SSM执行SSM:通过假设已定义以下策略的IAM角色(IAM_SSM_角色),描述ec2实例(I-0691847a77)上的安装信息 两个IAM角色位于同一aws帐户上&IAM_基本角色arn已作为受信任策略添加到IAM_ssm_角色中 { "Sid": "VisualEditor1", "Effect": "Allow", "Action": [ "ssm:*", "ec2
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"ssm:*",
"ec2:DescribeImages",
"cloudwatch:PutMetricData",
"ec2:DescribeInstances",
"lambda:InvokeFunction",
"ec2:DescribeTags",
"ec2:DescribeVpcs",
"cloudwatch:GetMetricStatistics",
"ec2:DescribeSubnets",
"ec2:DescribeKeyPairs",
"cloudwatch:ListMetrics",
"ec2:DescribeSecurityGroups"
],
"Resource": "*"
}
我使用IAM角色(IAM_base_角色)在ec2实例上运行以下代码
我收到拒绝访问错误,假定的角色显示为“iam_ssm_角色”,但看起来ssm正在使用iam_基本角色而不是iam_ssm_角色运行
AROAV6BDS6PTVQBU:iam_ssm_role
botocore.exceptions.ClientError: An error occurred (AccessDeniedException) when calling the DescribeInstanceInformation operation: User: arn:aws:sts::000001:assumed-role/iam_base_role/i-0691847a77 is not authorized to perform: ssm:DescribeInstanceInformation on resource: arn:aws:ssm:us-east-1:000001:*
好的,我发现我以前的代码有问题,我没有在bot3.client SSM部分中使用假定的iam角色的凭据 我现在可以成功运行代码了,我正在使用下面的代码
import boto3
boto_sts=boto3.client('sts')
stsresponse = boto_sts.assume_role(
RoleArn="arn:aws:iam::000001:role/iam_ssm_role",
RoleSessionName='newsession'
)
newsession_id = stsresponse["Credentials"]["AccessKeyId"]
newsession_key = stsresponse["Credentials"]["SecretAccessKey"]
newsession_token = stsresponse["Credentials"]["SessionToken"]
client = boto3.client('ssm',
region_name = 'us-east-1',
aws_access_key_id=newsession_id,
aws_secret_access_key=newsession_key,
aws_session_token=newsession_token)
ssm_response = client.describe_instance_information(
InstanceInformationFilterList=[
{
'key': 'InstanceIds',
'valueSet': [
'i-0f0099877fgg'
]
}
]
)
print(ssm_response)
import boto3
boto_sts=boto3.client('sts')
stsresponse = boto_sts.assume_role(
RoleArn="arn:aws:iam::000001:role/iam_ssm_role",
RoleSessionName='newsession'
)
newsession_id = stsresponse["Credentials"]["AccessKeyId"]
newsession_key = stsresponse["Credentials"]["SecretAccessKey"]
newsession_token = stsresponse["Credentials"]["SessionToken"]
client = boto3.client('ssm',
region_name = 'us-east-1',
aws_access_key_id=newsession_id,
aws_secret_access_key=newsession_key,
aws_session_token=newsession_token)
ssm_response = client.describe_instance_information(
InstanceInformationFilterList=[
{
'key': 'InstanceIds',
'valueSet': [
'i-0f0099877fgg'
]
}
]
)
print(ssm_response)