· 6 years ago · Oct 26, 2019, 01:34 PM
1# Description:
2# role on ec2 instance allows access to SSM cross account
3# retrieve access key/secret key for lambda that is saved to ssm
4# use that access keys in a client to access lambda
5
6import boto3
7
8function_name = 'hello-world'
9role_to_assume_arn='arn:aws:iam::000000000000:role/MyCrossAccountRole'
10role_session_name='test_session'
11ssm_access_key_path = '/team-a/production/AWS_LAMBDA_USER_ACCESS_KEY'
12ssm_secret_key_path = '/team-a/production/AWS_LAMBDA_USER_SECRET_KEY'
13
14def get_target_credentials(role_to_assume_arn, role_session_name, ssm_access_key_path, ssm_secret_key_path):
15 sts_default_provider_chain = boto3.client('sts')
16 response=sts_default_provider_chain.assume_role(RoleArn=role_to_assume_arn, RoleSessionName=role_session_name)
17 creds=response['Credentials']
18 ssm_client = boto3.client('ssm', aws_access_key_id=creds['AccessKeyId'], aws_secret_access_key=creds['SecretAccessKey'], aws_session_token=creds['SessionToken'])
19 aK = ssm_client.get_parameter(Name=ssm_access_key_path, WithDecryption=True)['Parameter']['Value']
20 sK = ssm_client.get_parameter(Name=ssm_secret_key_path, WithDecryption=True)['Parameter']['Value']
21 response = {"access_key": aK, "secret_key": sK}
22 return response
23
24mycreds = get_target_credentials(role_to_assume_arn, role_session_name, ssm_access_key_path, ssm_secret_key_path)
25lambda_client = boto3.client('lambda', aws_access_key_id=mycreds['access_key'], aws_secret_access_key=mycreds['secret_key'])
26response = lambda_client.get_function_configuration(FunctionName=function_name)
27print(response)