如何使用boto3获取登录用户的IAM角色信息? [英] How to get login user's IAM role info using boto3?

问题描述

例如:当我登录到我的AWS账户时，联合登录显示为 myrole/usr1 .用户 user1 不是IAM用户.尝试使用 sts 模块使用 client.get_caller_identity()获得身份.

For ex: when I login to my AWS account, federated login appears as myrole/usr1. user user1 is not an IAM user. Tried to get the identity using client.get_caller_identity() using sts module.

在运行lambda时，它是赋予分配给lambda的角色，而不是正在寻找的实际角色.如何获取角色信息 myrole ?

when ran in lambda, it was giving the role assigned to lambda rather than actual role am looking for. How to get role info myrole?

推荐答案

以下是通常从代码中获取角色名称的方法:

Here's the way to get role name from the code in general:

import boto3
s = boto3.Session(profile_name="some_profile_name")
c = s.client("sts")
c.get_caller_identity()

您将得到如下响应:{code> {'UserId':'...'，'Account':'...'，'Arn':'arn:aws:sts :: ...:assumed-role/.../federated_username_here'，...}

You will get response along the lines of {'UserId': '...', 'Account': '...', 'Arn': 'arn:aws:sts::...:assumed-role/.../federated_username_here', ...}

但是，这意味着您已经使用名称 some_profile_name 配置了AWS CLI配置文件，并且为此您需要通过CLI设置联合访问或知道角色的名称，就我而言.了解您想要获得.鸡肉和鸡蛋问题.

However this implies you have configured AWS CLI profile with name some_profile_name, and to do that you need to set up federated access via CLI or know the name of the role, which is as far as I understand you want to get. Chicken and egg problem.

尝试使用AWS代码环境获取它的方法相同，lambda将以相同的方式显示其角色ec2.

Same goes for attempts to get it using AWS code environment, lambda will display its role, ec2 the same way.

因此，要从控制台查看它，您可以尝试转到页面 https://console.aws.amazon.com/billing/home?#/account ，并授予您查看该页面的权限，您担任的角色将列为 Account Name .

So to see it from console you can try to go to page https://console.aws.amazon.com/billing/home?#/account, and given you have permissions to see that page, your assumed role will be listed as Account Name.

这篇关于如何使用boto3获取登录用户的IAM角色信息?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！