推荐使用多个 AWS 账户管理凭证的方法? [英] Recommended way to manage credentials with multiple AWS accounts?
问题描述
通过 boto
管理多个 Amazon Web Services (AWS) 帐户的最佳方法是什么?
What is the best way to manage multiple Amazon Web Services (AWS) accounts through boto
?
我熟悉我正在使用的 BotoConfig 文件.但是每个文件只描述一个帐户……而且我正在与多个组织合作.出于所有通常的法律、财务和安全原因,这些帐户不能混合.
I am familiar with BotoConfig files, which I'm using. But each file describes only a single account...and I am working with more than just the one organization. For all the usual legal, financial, and security reasons, those accounts cannot be commingled.
目前我为每个帐户使用一个 boto
配置文件.例如:
Currently I am using one boto
config file per account. E.g.:
~/.boto
默认账号~/.boto_clowncollege
用于clowncollege"帐户~/.boto_razorassoc
用于razorassoc"帐户~/.boto_xyz
用于xyz"帐户
~/.boto
default account~/.boto_clowncollege
for "clowncollege" account~/.boto_razorassoc
for "razorassoc" account~/.boto_xyz
for "xyz" account
然后是这样的:
def boto_config_path(account=None):
"""
Given an account name, return the path to the corresponding boto
configuration file. If no account given, return the default config file.
"""
path = '~/.boto' + ('_' + account if account else '')
clean_path = os.path.abspath(os.path.expanduser(path))
if os.path.isfile(clean_path):
return clean_path
else:
errmsg = "cannot find boto config file {} for {}".format(clean_path, account)
raise ValueError(errmsg)
def aws_credentials(account=None):
"""
Return a tuple of AWS credentials (access key id and secret access key) for
the given account.
"""
try:
cfg = INIConfig(open(boto_config_path(account)))
return ( cfg.Credentials.aws_access_key_id, cfg.Credentials.aws_secret_access_key )
except Exception:
raise
conn = EC2Connection(*aws_credentials('razorassoc'))
好、坏还是无所谓?建议改进?
Good, bad, or indifferent? Suggested improvements?
推荐答案
在未来,boto 将提供更好的工具来帮助您管理多个凭据,但目前,有几个环境变量可能会有所帮助.
In the future, boto will provide better tools to help you manage multiple credentials but at the moment, there are a couple of environment variables that might help out.
首先,您可以将 BOTO_CONFIG 设置为指向您要使用的 boto 配置文件,它会覆盖在正常位置找到的任何配置文件.
First, you can set BOTO_CONFIG to point to a boto config file that you want to use and it will override any config file found in the normal locations.
其次,您可以将 BOTO_PATH 设置为以冒号分隔的位置列表来查找 boto 配置文件,它会在正常搜索位置之前首先搜索那里.
Secondly, you can set BOTO_PATH to a colon-separated list of places to look for a boto config file and it will search there first, prior to the normal search locations.
这些都没有给你你想要的东西,但它可以用更少的代码更容易地完成.
Neither of those give you exactly what you want but it may make it easier to accomplish with a bit less code.
如果您对如何在 boto 中工作有任何想法,请告诉我!
If you have ideas about how you would like this to work in boto, please let me know!
这篇关于推荐使用多个 AWS 账户管理凭证的方法?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!