如何在 boto3 中创建源为 sg 的入口规则
how to create an ingress rule with the source being an sg in boto3
我正在尝试使用 boto3 在 AWS 中创建一个安全组,其中流量源来自现有安全组。
我是这样做的:
res = client.authorize_security_group_ingress(
GroupId=sg_id, <---- sg I want to modify
IpPermissions=[{
'IpProtocol': 'tcp',
'FromPort': 80,
'ToPort': 80,
'IpRanges': [{'CidrIp': 'sg-xxxxxxx'] <--- sg I want to be the source
}]
)
但我得到:
An error occurred (InvalidParameterValue) when calling the AuthorizeSecurityGroupIngress operation: CIDR block sg-0ae9ec592f6d43219 is malformed
老实说,这是显而易见的,因为 IpRanges 中的字段是 CidrIp,而不是像 groupId 这样的字段,而这正是我所期望的。
但是根据 documentation:
CidrIp (string) --
The IPv4 CIDR range. You can either specify a CIDR range or a source security group, not both. To specify a single IPv4 address, use the /32 prefix length.
它并没有真正说“源安全组 ID”,我只是假设它是 ID。我尝试了这个名称,它也不起作用(指定名称将尝试在默认 VPC 中查找具有该名称的 SG)
必须使用 UserIdGroupPairs 选项而不是 IpRanges:
'UserIdGroupPairs': [
{
'Description': 'string',
'GroupId': 'string',
'GroupName': 'string',
'PeeringStatus': 'string',
'UserId': 'string',
'VpcId': 'string',
'VpcPeeringConnectionId': 'string'
},
即:
UserIdGroupPairs (list) --
The security group and AWS account ID pairs.
(dict) --
Describes a security group and AWS account ID pair.
Description (string) --
A description for the security group rule that references this user ID group pair.
Constraints: Up to 255 characters in length. Allowed characters are a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=;{}!$*
GroupId (string) --
The ID of the security group.
GroupName (string) --
The name of the security group. In a request, use this parameter for a security group in EC2-Classic or a default VPC only. For a security group in a nondefault VPC, use the security group ID.
For a referenced security group in another VPC, this value is not returned if the referenced security group is deleted.
PeeringStatus (string) --
The status of a VPC peering connection, if applicable.
UserId (string) --
The ID of an AWS account.
For a referenced security group in another VPC, the account ID of the referenced security group is returned in the response. If the referenced security group is deleted, this value is not returned.
[EC2-Classic] Required when adding or removing rules that reference a security group in another AWS account.
VpcId (string) --
The ID of the VPC for the referenced security group, if applicable.
VpcPeeringConnectionId (string) --
The ID of the VPC peering connection, if applicable.
我正在尝试使用 boto3 在 AWS 中创建一个安全组,其中流量源来自现有安全组。 我是这样做的:
res = client.authorize_security_group_ingress(
GroupId=sg_id, <---- sg I want to modify
IpPermissions=[{
'IpProtocol': 'tcp',
'FromPort': 80,
'ToPort': 80,
'IpRanges': [{'CidrIp': 'sg-xxxxxxx'] <--- sg I want to be the source
}]
)
但我得到:
An error occurred (InvalidParameterValue) when calling the AuthorizeSecurityGroupIngress operation: CIDR block sg-0ae9ec592f6d43219 is malformed
老实说,这是显而易见的,因为 IpRanges 中的字段是 CidrIp,而不是像 groupId 这样的字段,而这正是我所期望的。
但是根据 documentation:
CidrIp (string) -- The IPv4 CIDR range. You can either specify a CIDR range or a source security group, not both. To specify a single IPv4 address, use the /32 prefix length.
它并没有真正说“源安全组 ID”,我只是假设它是 ID。我尝试了这个名称,它也不起作用(指定名称将尝试在默认 VPC 中查找具有该名称的 SG)
必须使用 UserIdGroupPairs 选项而不是 IpRanges:
'UserIdGroupPairs': [
{
'Description': 'string',
'GroupId': 'string',
'GroupName': 'string',
'PeeringStatus': 'string',
'UserId': 'string',
'VpcId': 'string',
'VpcPeeringConnectionId': 'string'
},
即:
UserIdGroupPairs (list) --
The security group and AWS account ID pairs.
(dict) --
Describes a security group and AWS account ID pair.
Description (string) --
A description for the security group rule that references this user ID group pair.
Constraints: Up to 255 characters in length. Allowed characters are a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=;{}!$*
GroupId (string) --
The ID of the security group.
GroupName (string) --
The name of the security group. In a request, use this parameter for a security group in EC2-Classic or a default VPC only. For a security group in a nondefault VPC, use the security group ID.
For a referenced security group in another VPC, this value is not returned if the referenced security group is deleted.
PeeringStatus (string) --
The status of a VPC peering connection, if applicable.
UserId (string) --
The ID of an AWS account.
For a referenced security group in another VPC, the account ID of the referenced security group is returned in the response. If the referenced security group is deleted, this value is not returned.
[EC2-Classic] Required when adding or removing rules that reference a security group in another AWS account.
VpcId (string) --
The ID of the VPC for the referenced security group, if applicable.
VpcPeeringConnectionId (string) --
The ID of the VPC peering connection, if applicable.