Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

AWS: Boto3: AssumeRole example which includes role usage

Tags:

boto3

boto

I'm trying to use the AssumeRole in such a way that i'm traversing multiple accounts and retrieving assets for those accounts. I've made it to this point:

import boto3 stsclient = boto3.client('sts')  assumedRoleObject = sts_client.assume_role( RoleArn="arn:aws:iam::account-of-role-to-assume:role/name-of-role", RoleSessionName="AssumeRoleSession1") 

Great, i have the assumedRoleObject. But now i want to use that to list things like ELBs or something that isn't a built-in low level resource.

How does one go about doing that? If i may ask - please code out a full example, so that everyone can benefit.

like image 578
mumbles Avatar asked May 25 '17 03:05

mumbles


People also ask

How do you assume a role in AWS Boto3?

To assume a role, an application calls the AWS STS AssumeRole API operation and passes the ARN of the role to use. The operation creates a new session with temporary credentials. This session has the same permissions as the identity-based policies for that role.

Should I use client or resource Boto3?

Clients vs ResourcesResources are the recommended pattern to use boto3 as you don't have to worry about a lot of the underlying details when interacting with AWS services. As a result, code written with Resources tends to be simpler.

What is the difference between Boto3 client and Boto3 resource?

00:00 Boto3's primary function is to make AWS API calls for you. It extracts these APIs in two main ways: clients and resources. Clients give you low-level service access, while resources provide an object-oriented way of working with these services.


2 Answers

Here's a code snippet from the official AWS documentation where an s3 resource is created for listing all s3 buckets. boto3 resources or clients for other services can be built in a similar fashion.

# create an STS client object that represents a live connection to the  # STS service sts_client = boto3.client('sts')  # Call the assume_role method of the STSConnection object and pass the role # ARN and a role session name. assumed_role_object=sts_client.assume_role(     RoleArn="arn:aws:iam::account-of-role-to-assume:role/name-of-role",     RoleSessionName="AssumeRoleSession1" )  # From the response that contains the assumed role, get the temporary  # credentials that can be used to make subsequent API calls credentials=assumed_role_object['Credentials']  # Use the temporary credentials that AssumeRole returns to make a  # connection to Amazon S3   s3_resource=boto3.resource(     's3',     aws_access_key_id=credentials['AccessKeyId'],     aws_secret_access_key=credentials['SecretAccessKey'],     aws_session_token=credentials['SessionToken'], )  # Use the Amazon S3 resource object that is now configured with the  # credentials to access your S3 buckets.  for bucket in s3_resource.buckets.all():     print(bucket.name) 
like image 91
Vinay Avatar answered Oct 18 '22 06:10

Vinay


You can assume role using STS token, like:

class Boto3STSService(object):     def __init__(self, arn):         sess = Session(aws_access_key_id=ARN_ACCESS_KEY,                        aws_secret_access_key=ARN_SECRET_KEY)         sts_connection = sess.client('sts')         assume_role_object = sts_connection.assume_role(             RoleArn=arn, RoleSessionName=ARN_ROLE_SESSION_NAME,             DurationSeconds=3600)         self.credentials = assume_role_object['Credentials'] 

This will give you temporary access key and secret keys, with session token. With these temporary credentials, you can access any service. For Eg, if you want to access ELB, you can use the below code:

self.tmp_credentials = Boto3STSService(arn).credentials  def get_boto3_session(self):     tmp_access_key = self.tmp_credentials['AccessKeyId']     tmp_secret_key = self.tmp_credentials['SecretAccessKey']     security_token = self.tmp_credentials['SessionToken']      boto3_session = Session(         aws_access_key_id=tmp_access_key,         aws_secret_access_key=tmp_secret_key, aws_session_token=security_token     )     return boto3_session  def get_elb_boto3_connection(self, region):     sess = self.get_boto3_session()     elb_conn = sess.client(service_name='elb', region_name=region)     return elb_conn 
like image 39
upaang saxena Avatar answered Oct 18 '22 04:10

upaang saxena