Python boto3 获取一个组织的所有RDS实例列表
Python boto3 get all RDS instance list of an organization
假设我有一个包含 25 个 aws 帐户的组织,其中每个帐户可能包含也可能不包含一些保留的 RDS 实例。所以我需要使用 boto3 连接我的组织并迭代每个帐户以检查 RDS 预留实例。我在单个帐户级别上执行的检查 RDS 实例的操作。
此代码将列出单个账户中存在的所有 RDS 实例
示例代码
#!/usr/bin/env python
import boto3
client = boto3.client('rds')
response =
client.describe_db_instances()
for i in response['DBInstances']:
db_name = i['DBName']
db_instance_name = i['DBInstanceIdentifier']
db_type = i['DBInstanceClass']
db_storage = i['AllocatedStorage']
db_engine = i['Engine']
print (db_instance_name,db_type,db_storage,db_engine)
所以我的问题是如何连接到组织级别,列出每个帐户的 RDS 预留实例?我需要使用哪些 type/level 凭据?
一种方法是使用公共角色。这种方法的先决条件是,属于组织的每个帐户中都需要有一个角色,该角色有权进行必要的 API 调用。然后,您担任此公共角色以在目标帐户中执行 API 调用。 https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html.
概述了这种设置
有了这个角色,您可以 运行 boto3 代码来查找您组织中的所有帐户——可能是这样的:
org_client = boto3.client('organizations')
root_id = org_client.list_roots()['Roots'][0]['Id']
LOGGER.info('root ID: %s', root_id)
paginator = org_client.get_paginator('list_organizational_units_for_parent')
response_iterator = paginator.paginate(ParentId=root_id)
for item in response_iterator:
for ou in item['OrganizationalUnits']:
ou_paginator = org_client.get_paginator('list_accounts_for_parent')
ou_response_iterator = ou_paginator.paginate(ParentId=ou['Id'])
for ou_item in ou_response_iterator:
for account in ou_item['Accounts']:
account_id = account['Id']
//next, assume a role in this account
然后,下一步就是承担这个角色,代码类似于https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-api.html处显示的代码。使用上面的帐户 ID 和通用角色名称构建下面的 RoleARN (arn:aws:iam::account-of-role-to-assume:role/name-of-role):
import boto3
# The calls to AWS STS AssumeRole must be signed with the access key ID
# and secret access key of an existing IAM user or by using existing temporary
# credentials such as those from another role. (You cannot call AssumeRole
# with the access key for the root account.) The credentials can be in
# environment variables or in a configuration file and will be discovered
# automatically by the boto3.client() function. For more information, see the
# Python SDK documentation:
# http://boto3.readthedocs.io/en/latest/reference/services/sts.html#client
# create an STS client object that represents a live connection to the
# STS service
sts_client = boto3.client('sts')
# Call the assume_role method of the STSConnection object and pass the role
# ARN and a role session name.
assumed_role_object=sts_client.assume_role(
RoleArn="arn:aws:iam::account-of-role-to-assume:role/name-of-role",
RoleSessionName="AssumeRoleSession1"
)
# From the response that contains the assumed role, get the temporary
# credentials that can be used to make subsequent API calls
credentials=assumed_role_object['Credentials']
# Use the temporary credentials that AssumeRole returns to make a
# connection to Amazon S3
rds_client=boto3.client(
'rds',
aws_access_key_id=credentials['AccessKeyId'],
aws_secret_access_key=credentials['SecretAccessKey'],
aws_session_token=credentials['SessionToken'],
)
您可以查询 RDS 以查找任何实例并将找到的任何实例添加到列表中。遍历组织中的所有帐户后,您应该拥有属于该组织的所有帐户的完整列表。
假设我有一个包含 25 个 aws 帐户的组织,其中每个帐户可能包含也可能不包含一些保留的 RDS 实例。所以我需要使用 boto3 连接我的组织并迭代每个帐户以检查 RDS 预留实例。我在单个帐户级别上执行的检查 RDS 实例的操作。
此代码将列出单个账户中存在的所有 RDS 实例
示例代码
#!/usr/bin/env python
import boto3
client = boto3.client('rds')
response =
client.describe_db_instances()
for i in response['DBInstances']:
db_name = i['DBName']
db_instance_name = i['DBInstanceIdentifier']
db_type = i['DBInstanceClass']
db_storage = i['AllocatedStorage']
db_engine = i['Engine']
print (db_instance_name,db_type,db_storage,db_engine)
所以我的问题是如何连接到组织级别,列出每个帐户的 RDS 预留实例?我需要使用哪些 type/level 凭据?
一种方法是使用公共角色。这种方法的先决条件是,属于组织的每个帐户中都需要有一个角色,该角色有权进行必要的 API 调用。然后,您担任此公共角色以在目标帐户中执行 API 调用。 https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html.
概述了这种设置有了这个角色,您可以 运行 boto3 代码来查找您组织中的所有帐户——可能是这样的:
org_client = boto3.client('organizations')
root_id = org_client.list_roots()['Roots'][0]['Id']
LOGGER.info('root ID: %s', root_id)
paginator = org_client.get_paginator('list_organizational_units_for_parent')
response_iterator = paginator.paginate(ParentId=root_id)
for item in response_iterator:
for ou in item['OrganizationalUnits']:
ou_paginator = org_client.get_paginator('list_accounts_for_parent')
ou_response_iterator = ou_paginator.paginate(ParentId=ou['Id'])
for ou_item in ou_response_iterator:
for account in ou_item['Accounts']:
account_id = account['Id']
//next, assume a role in this account
然后,下一步就是承担这个角色,代码类似于https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-api.html处显示的代码。使用上面的帐户 ID 和通用角色名称构建下面的 RoleARN (arn:aws:iam::account-of-role-to-assume:role/name-of-role):
import boto3
# The calls to AWS STS AssumeRole must be signed with the access key ID
# and secret access key of an existing IAM user or by using existing temporary
# credentials such as those from another role. (You cannot call AssumeRole
# with the access key for the root account.) The credentials can be in
# environment variables or in a configuration file and will be discovered
# automatically by the boto3.client() function. For more information, see the
# Python SDK documentation:
# http://boto3.readthedocs.io/en/latest/reference/services/sts.html#client
# create an STS client object that represents a live connection to the
# STS service
sts_client = boto3.client('sts')
# Call the assume_role method of the STSConnection object and pass the role
# ARN and a role session name.
assumed_role_object=sts_client.assume_role(
RoleArn="arn:aws:iam::account-of-role-to-assume:role/name-of-role",
RoleSessionName="AssumeRoleSession1"
)
# From the response that contains the assumed role, get the temporary
# credentials that can be used to make subsequent API calls
credentials=assumed_role_object['Credentials']
# Use the temporary credentials that AssumeRole returns to make a
# connection to Amazon S3
rds_client=boto3.client(
'rds',
aws_access_key_id=credentials['AccessKeyId'],
aws_secret_access_key=credentials['SecretAccessKey'],
aws_session_token=credentials['SessionToken'],
)
您可以查询 RDS 以查找任何实例并将找到的任何实例添加到列表中。遍历组织中的所有帐户后,您应该拥有属于该组织的所有帐户的完整列表。