env:python3 venv 并使用 boto3 apis
我已在身份存储中创建了一个组和一个权限集,并希望将该组分配给权限集。 (通过 api。从创建响应中获取 ID 和 arns)
创建权限集:
def create_permission_set(self, instance_arn, name):
client = boto3.client('sso-admin', aws_access_key_id=self.access_key,aws_secret_access_key=self.secret_key, region_name =self.region_name)
response = client.create_permission_set(
InstanceArn=instance_arn,
Name=name
)
组和权限集都存在于身份存储中。
但是当我尝试使用此代码将组分配给权限集时
def bind_group_permission_set(self,permission_set_arn,group_id,instance_id,instance_arn):
client = boto3.client('sso-admin', aws_access_key_id=self.access_key,
aws_secret_access_key=self.secret_key,
region_name =self.region_name)
response = client.create_account_assignment(
InstanceArn=instance_arn,
PermissionSetArn=permission_set_arn,
PrincipalId=group_id,
PrincipalType='GROUP',
TargetId='8xxxxxxxxxxxx3',
TargetType='AWS_ACCOUNT'
)
return response
它返回“正在进行”作为状态,后来当我从 SSOAdmin.Client 获取状态时失败。列表帐户分配创建状态
作业结果:
{'AccountAssignmentCreationStatus':
{'PermissionSetArn': '', 'PrincipalId': '', 'PrincipalType': 'GROUP', 'RequestId': '', 'Status': 'IN_PROGRESS', 'TargetId': '', 'TargetType': 'AWS_ACCOUNT'}, 'ResponseMetadata': {'RequestId': '', 'HTTPStatusCode': 200, 'HTTPHeaders': {'date': 'Thu, 11 Jan 2024 06:05:43 GMT', 'content-type': 'application/x-amz-json-1.1', 'content-length': '334', 'connection': 'keep-alive', 'x-amzn-requestid': ''}, 'RetryAttempts': 0}}
如何确保它不会进入“进行中”状态并直接进入“失败”或“成功”
根据文档,如果失败,我将得到失败原因,但这并没有失败。
如文档中所述,您应该...
成功响应后,致电
描述作业创建请求的状态。DescribeAccountAssignmentCreationStatus
这是从
FailureReason
接收 AccountAssignmentCreationStatus
的唯一方法。公平地说,文档中并没有那么明显。
以下简化示例尝试创建分配,然后使用 backoff 等待并检查状态长达 30 秒:
import boto3
import backoff
sso_admin_client = boto3.client("sso-admin")
# wait for account assignment creation status, usually takes <5 seconds
@backoff.on_predicate( # retries until the function returns True
backoff.constant, # constant backoff
interval=4, # wait _ seconds between each try
max_time=30) # maximum wait time is _ seconds
def wait_for_account_assignment_creation_status(instance_arn, assignment_request_id):
if sso_admin_client.describe_account_assignment_creation_status(InstanceArn=instance_arn, AccountAssignmentCreationRequestId=assignment_request_id)['AccountAssignmentCreationStatus']['Status'] == 'SUCCEEDED':
return True
return False
# create the association in the AWS SSO instance
def create_account_assignment(instance_arn, account_id, permission_set_arn, principal_type, principal_id):
response = sso_admin_client.create_account_assignment(InstanceArn=instance_arn,
TargetId=account_id,
TargetType='AWS_ACCOUNT',
PermissionSetArn=permission_set_arn,
PrincipalType=principal_type,
PrincipalId=principal_id)
# ToDo: check if the response failed right away
# wait for the association to be created
if not wait_for_account_assignment_creation_status(instance_arn,
response['AccountAssignmentCreationStatus']['RequestId']):
failure_reason = sso_admin_client.describe_account_assignment_creation_status(InstanceArn=instance_arn, AccountAssignmentCreationRequestId=response['AccountAssignmentCreationStatus']['RequestId'])['AccountAssignmentCreationStatus']['FailureReason']
raise ValueError(f"Timeout - reason {failure_reason}")
# creation successful
就我而言,失败原因告诉我,我分配的角色缺少在目标帐户中创建和分配角色的权限:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "WriteAssociation",
"Effect": "Allow",
"Action": [
"sso:CreateAccountAssignment", // obvious
"iam:ListRolePolicies", // new
"iam:GetSAMLProvider", // new
"iam:CreateRole", // new
"iam:AttachRolePolicy" // new
],
"Resource": "*"
}
]
}