我尝试使用 AWS CLI 检索附加到我们 AWS 组织内的 AWS 账户的标签和值列表,但没有成功。有人以前做过吗?
我尝试了以下方法:aws Organizations list-accounts --query 'Accounts[].Id');执行 aws resourcegroupstaggingapi get-resources --query 'ResourceTagMappingList[].{ResourceARN:ResourceARN,Tags:Tags}' --output table --resource-type-filters AWS::AllSupported --region us-east-1 --account -id $account_id
但运气不好
为了使用组织 API 查看组织的帐户标签,您至少需要以下权限:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ViewOrganizationAccountTags",
"Effect": "Allow",
"Action": [
"organizations:DescribeAccount",
"organizations:ListAccounts",
"organizations:ListTagsForResource"
],
"Resource": "*"
}
]
}
一旦到位,您可以执行以下操作:
$ aws organizations list-accounts
{
"Accounts": [
{
"Id": "<account_id>",
"Arn": "arn:aws:organizations::<account_id>:account/<ou_id>/<id>",
"Email": "[email protected]",
"Name": "<account_name>",
"Status": "ACTIVE",
"JoinedMethod": "CREATED",
"JoinedTimestamp": "2020-11-20T17:40:23.085000+02:00"
},
{
"Id": "...",
"Arn": "...",
"Email": "...",
"Name": "...",
"Status": "...",
"JoinedMethod": "...",
"JoinedTimestamp": "...."
}
]
}
然后
$ aws organizations list-tags-for-resource --resource-id "target_account_id"
{
"Tags": [
{
"Key": "FOO1",
"Value": "bar1"
},
{
"Key": "FOO2",
"Value": "bar2"
}
]
}