AWS Client Authentication Methods¶
The script marketplace supports multiple AWS client authentication methods. Users can complete authorization by configuring the account parameter. The following explains various authentication code examples.
1. IAM User with Resource Access Permissions¶
Code Example¶
# Please fill in the following configuration according to the actual situation
# AWS AK
account = {
"ak_id" : "<AWS AK ID>",
"ak_secret": "<AWS AK SECRET>",
}
# collector configuration
collector_configs = {
'regions': ['ap-southeast-1']
}
###### Do not modify the following content #####
from integration_core__runner import Runner
import integration_aws_ec2__main as main
@DFF.API('AWS-EC2 Collection', timeout=3600, fixed_crontab='*/15 * * * *')
def run():
Runner(main.DataCollector(account, collector_configs)).run()
Account Field Explanation¶
- ak_id: Created by the user access key (long-term credentials)
- ak_secret: Created by the user access secret (long-term credentials)
2. IAM User Assuming a Role (Using STS)¶
Code Example¶
# Please fill in the following configuration according to the actual situation
# AWS AK
account = {
"ak_id" : "<AWS AK ID>",
"ak_secret" : "<AWS AK SECRET>",
"assume_role_arn" : "<AWS ASSUME ROLE ARN>",
"external_id" : "<AWS EXTERNAL ID>",
"role_session_name": "<AWS ROLE SESSION NAME>"
}
# collector configuration
collector_configs = {
'regions': ['ap-southeast-1']
}
###### Do not modify the following content #####
from integration_core__runner import Runner
import integration_aws_ec2__main as main
@DFF.API('AWS-EC2 Collection', timeout=3600, fixed_crontab='*/15 * * * *')
def run():
Runner(main.DataCollector(account, configs=collector_configs)).run()
Account Field Explanation¶
- ak_id: Same as above, required.
- ak_secret: Same as above, required.
- assume_role_arn: ARN of the role with resource access permissions (Amazon Resource Name), required.
- role_session_name: Role session name (AWS explanation: Use this string value to identify the session when different principals use the role. For security reasons, administrators can view this field in AWS CloudTrail logs to help identify who has performed actions in AWS. Your administrator may require you to specify the IAM username as the session name when assuming a role. For more information, see sts:RoleSessionName.), optional, default: "Integration".
- external_id: External ID, optional, if the role being assumed does not require an external ID, it can be left blank.
3. User Enabling Multi-Factor Authentication (MFA)¶
Code Example¶
# Please fill in the following configuration according to the actual situation
# AWS AK
account = {
"ak_id" : "<AWS AK ID>",
"ak_secret" : "<AWS AK SECRET>",
"assume_role_arn" : "<AWS ASSUME ROLE ARN>",
"role_session_name": "<AWS ROLE SESSION NAME>",
"serial_number" : "<MFA DEVICE NUMBER>",
"token_code" : "<MFA TOTP>",
}
# collector configuration
collector_configs = {
'regions': ['ap-southeast-1']
}
###### Do not modify the following content #####
from integration_core__runner import Runner
import integration_aws_ec2__main as main
@DFF.API('AWS-EC2 Collection', timeout=3600, fixed_crontab='*/15 * * * *')
def run():
Runner(main.DataCollector(account, configs=collector_configs)).run()
Account Field Explanation¶
- ak_id: Same as above, required.
- ak_secret: Same as above, required.
- assume_role_arn: Same as above, optional.
- role_session_name: Same as above, optional.
- external_id: External ID, same as above, optional.
- serial_number: Identifier of the MFA device
- token_code: One-time code provided by the MFA device
Tip
To access resources protected by MFA-conditional policies, you can assume a role or not. The example shows the method of assuming a role. If not needed, you can remove the assume_role_arn and role_session_name fields.
4. IAM Role Authentication for Amazon EC2¶
# Please fill in the following configuration according to the actual situation
account = {
"extra_tags": {
"account_name": "role for ec2", # Your Account Name
}
}
# collector configuration
collector_configs = {
'regions': ['ap-southeast-1']
}
###### Do not modify the following content #####
from integration_core__runner import Runner
import integration_aws_ec2__main as main
@DFF.API('AWS-EC2 Collection', timeout=3600, fixed_crontab='*/15 * * * *')
def run():
Runner(main.DataCollector(account, configs=collector_configs)).run()
Account Field Explanation¶
Using EC2 to assume IAM role authentication does not require configuring AK information. If you want to add some extra tags, you can still configure them in extra_tags.
5. Common Questions¶
- How to Determine Account Permission Policies
Users need to have resource access permissions to enable the collector. Permission policies can refer to the "IAM Policy Permissions" section of the corresponding resource collector documentation. You can also use AWS managed policies "ReadOnlyAccess" or "SecurityAudit", which provide read-only access to all AWS services and resources, meeting the permission requirements of most collectors (if not, please refer to the corresponding collector documentation).
X. Appendix¶
AWS Requesting Temporary Security Credentials
AWS Multi-Factor Authentication