gpt4 book ai didi

amazon-web-services - AWS CLI : Get parent user details after sts-assume-role

转载 作者:行者123 更新时间:2023-12-05 07:23:53 26 4
gpt4 key购买 nike

我正在尝试使用 Ansible 剧本自动执行一些标记。我想要完成的其中一件事是使用创建者的用户名标记资源。问题是 sts-assume-role 混淆了顶级帐户的用户数据。

# cat ~/.aws/credentials
[default]
aws_secret_access_key = gggggggggggggggggggggggggggggggggg
aws_access_key_id = JJJJJJJJJJJJJJJJJJJJ

[childaccount]
role_arn = arn:aws:iam::0123456789:role/child-acct-admin
source_profile = default

# aws iam get-user
{
"User": {
"Arn": "arn:aws:iam::4567891230:user/someuser",
"UserName": "someuser",
"UserId": "CCCCCCCCCCCCCCCCC",
"Path": "/",
"CreateDate": "2018-01-04T15:21:51Z",
"PasswordLastUsed": "2019-01-11T15:24:32Z"
}
}

# aws opsworks --region us-east-1 describe-my-user-profile
{
"UserProfile": {
"IamUserArn": "arn:aws:iam::4567891230:user/someuser",
"Name": "someuser",
"SshUsername": "someuser"
}
}

# export AWS_DEFAULT_PROFILE=childaccount
# aws opsworks --region us-east-1 describe-my-user-profile
{
"UserProfile": {
"SshUsername": "child-acct-admin-botocore-sess",
"Name": "child-acct-admin/botocore-session-123456789",
"IamUserArn": "arn:aws:sts::234567898:assumed-role/child-acct-admin/botocore-session-123456789"
}
}

# aws iam get-user

An error occurred (ValidationError) when calling the GetUser operation: Must specify userName when calling with non-User credentials

我需要一些我可以执行的命令来为我提供顶级帐户详细信息。我能想到的唯一途径是解析凭据文件并尝试使用假定的角色名称映射回加载的配置文件和父配置文件。然后直接传递顶级帐户的 key (在本例中为默认值)以给出实际的用户名。它比应有的复杂得多。

最佳答案

我走了很远的路。此方法假定凭据和子帐户角色已在您的 ~/.aws/credentials 文件中定义。用 Ansible 编写。

- name: Query AWS role loaded
shell: aws opsworks --region us-east-1 describe-my-user-profile --query 'UserProfile.Name' | awk -F'["/]' '{print $2}'
register: role_in_use

- name: Discover AWS profile loaded
shell: awk '/\[/{prefix=$0; next} $1{print prefix $0}' ~/.aws/credentials | grep role/{{ role_in_use.stdout }} | awk -F'[][]' '{print $2}'
register: profile_in_use

- name: Find AWS source profile
shell: awk '/\[/{prefix=$0; next} $1{print prefix $0}' ~/.aws/credentials| grep "\[{{ profile_in_use.stdout }}\]source_profile =" | awk '{print $3}'
register: src_profile

- name: Set AWS source user
shell: aws opsworks --region us-east-1 describe-my-user-profile --query 'UserProfile.Name' --profile {{ src_profile.stdout }} | awk -F'["/]' '{print $2}'
register: src_user

从那里,您可以引用用户名ala:{{ src_user.stdout }}

关于amazon-web-services - AWS CLI : Get parent user details after sts-assume-role,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/55696650/

26 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com