uyD9nekc

· 6 years ago · Feb 26, 2019, 03:42 AM
1import logging
2import boto3
3import dateutil
4
5logger = logging.getLogger()
6logger.addHandler(logging.StreamHandler())  # Writes to console
7logger.setLevel(logging.INFO)
8
9
10def create_sts_client(aws_access_key_id=None,
11                      aws_secret_access_key=None,
12                      aws_session_token=None):
13    # Create AWS security token service client
14    sts_client = boto3.client(
15        'sts',
16        aws_access_key_id=aws_access_key_id,
17        aws_secret_access_key=aws_secret_access_key,
18        aws_session_token=aws_session_token)
19    return sts_client
20
21
22def get_crossaccount_credentials(access_key, secret_key, role_arn):
23    # Create STS client and assume role with cross-account role
24    client = create_sts_client(access_key, secret_key)
25    return client.assume_role(RoleArn=role_arn, RoleSessionName='test-auth')
26
27
28def get_ec2_client(access_key,
29                   secret_key,
30                   role_arn=None,
31                   region_name='us-east-1'):
32    aws_session_token = None
33    if role_arn:
34        # Getting temporary credentials AWS cross-account
35        credentials = get_crossaccount_credentials(access_key, secret_key,
36                                                   role_arn)
37        access_key = credentials['Credentials']['AccessKeyId']
38        secret_key = credentials['Credentials']['SecretAccessKey']
39        aws_session_token = credentials['Credentials']['SessionToken']
40        expiration = credentials['Credentials']['Expiration']
41        expiration = expiration.astimezone(
42            dateutil.tz.tzlocal()).strftime('%Y-%m-%d %H:%M:%S')
43        logger.info("Retrieved creds from cross account. Valid till %s",
44                    expiration)
45    return boto3.client(
46        'ec2',
47        region_name=region_name,
48        aws_access_key_id=access_key,
49        aws_secret_access_key=secret_key,
50        aws_session_token=aws_session_token)
51
52
53if __name__ == '__main__':
54    # Required values
55    primary_aws_access_key_id = '<primary_account_access_key>'
56    primary_aws_secret_access_key = '<primary_account_secret_key>'
57    cross_account_role_arn = '<cross_account_role_arn>'
58
59    # Creating EC2 client for cross account
60    ec2_client = get_ec2_client(primary_aws_access_key_id,
61                                primary_aws_secret_access_key,
62                                cross_account_role_arn)
63    logger.info(
64        "Found %s instances",
65        len(ec2_client.describe_instances()['Reservations'][0]['Instances']))