Multiple Authentication Methods for AWS Clients¶
The script market supports multiple authentication methods for AWS clients. Users can complete authorization by configuring the account parameters. The following explains various authentication code examples.
1. IAM User Has Access to Resources¶
Code Example¶
# Please fill in the following configuration according to the actual situation
# AWS AK
account = {
"ak_id" : "<AWS AK ID>",
"ak_secret": "<AWS AK SECRET>",
}
# collector configuration
collector_configs = {
'regions': ['cn-northwest-1']
}
###### Do not modify the following content #####
from integration_core__runner import Runner
import integration_aws_ec2__main as main
@DFF.API('AWS-EC2 Collection', timeout=3600, fixed_crontab='*/15 * * * *')
def run():
Runner(main.DataCollector(account, collector_configs)).run()
Account Field Explanation¶
- ak_id: Access key created by the user (long-term credentials)
- ak_secret: Access secret created by the user (long-term credentials)
2. IAM User Assumes Role (Using STS)¶
Code Example¶
# Please fill in the following configuration according to the actual situation
# AWS AK
account = {
"ak_id" : "<AWS AK ID>",
"ak_secret" : "<AWS AK SECRET>",
"assume_role_arn" : "<AWS ASSUME ROLE ARN>",
"external_id" : "<AWS EXTERNAL ID>",
"role_session_name": "<AWS ROLE SESSION NAME>"
}
# collector configuration
collector_configs = {
'regions': ['cn-northwest-1']
}
###### Do not modify the following content #####
from integration_core__runner import Runner
import integration_aws_ec2__main as main
@DFF.API('AWS-EC2 Collection', timeout=3600, fixed_crontab='*/15 * * * *')
def run():
Runner(main.DataCollector(account, configs=collector_configs)).run()
Account Field Explanation¶
- ak_id: Same as above, required.
- ak_secret: Same as above, required.
- assume_role_arn: ARN of the role with access to resources (Amazon Resource Name), required.
- role_session_name: Role session name (AWS explanation: Use this string value to identify the session when different principals use the role. For security reasons, administrators can view this field in AWS CloudTrail logs to help identify who has performed actions in AWS. Your administrator may require you to specify the IAM username as the session name when assuming a role. For more information, see sts:RoleSessionName.), optional, default: "Integration".
- external_id: External ID, optional. If the role being assumed does not require an external ID, it can be left blank.
3. User Enables Multi-Factor Authentication (MFA)¶
Code Example¶
# Please fill in the following configuration according to the actual situation
# AWS AK
account = {
"ak_id" : "<AWS AK ID>",
"ak_secret" : "<AWS AK SECRET>",
"assume_role_arn" : "<AWS ASSUME ROLE ARN>",
"role_session_name": "<AWS ROLE SESSION NAME>",
"serial_number" : "<MFA DEVICE NUMBER>",
"token_code" : "<MFA TOTP>",
}
# collector configuration
collector_configs = {
'regions': ['cn-northwest-1']
}
###### Do not modify the following content #####
from integration_core__runner import Runner
import integration_aws_ec2__main as main
@DFF.API('AWS-EC2 Collection', timeout=3600, fixed_crontab='*/15 * * * *')
def run():
Runner(main.DataCollector(account, configs=collector_configs)).run()
Account Field Explanation¶
- ak_id: Same as above, required.
- ak_secret: Same as above, required.
- assume_role_arn: Same as above, optional.
- role_session_name: Same as above, optional.
- external_id: External ID, same as above, optional.
- serial_number: Identifier for the MFA device
- token_code: One-time code provided by the MFA device
Tip
To access resources protected by MFA-conditional policies, you can assume a role or not. The example shows the method of assuming a role. If not needed, you can remove the assume_role_arn and role_session_name fields.
4. IAM Role Authentication for Amazon EC2¶
# Please fill in the following configuration according to the actual situation
account = {
"extra_tags": {
"account_name": "role for ec2", # Your Account Name
}
}
# collector configuration
collector_configs = {
'regions': ['cn-northwest-1']
}
###### Do not modify the following content #####
from integration_core__runner import Runner
import integration_aws_ec2__main as main
@DFF.API('AWS-EC2 Collection', timeout=3600, fixed_crontab='*/15 * * * *')
def run():
Runner(main.DataCollector(account, configs=collector_configs)).run()
Account Field Explanation¶
Using the IAM role authentication method for EC2 does not require configuring AK information. If you want to add some extra tags, you can still configure them in extra_tags.
5. Frequently Asked Questions¶
- How to Determine Account Permission Policies
Users need to have access to resources when starting the collector. Permission policies can refer to the "IAM Policy Permissions" section of the corresponding resource collector documentation. You can also use AWS managed policies "ReadOnlyAccess" or "SecurityAudit", which provide read-only access to all AWS services and resources, meeting the permission requirements of most collectors (if not, please refer to the corresponding collector documentation).
X. Appendix¶
AWS Request Temporary Security Credentials
AWS Multi-Factor Authentication