哪个角色附加到实例
Which role is attached to instance
如何检查哪些 IAM 角色及其策略 json 附加到 运行 EC2 实例?
是否可以通过 AWS CLI 实现?
这里是 aws ec2 ddescribe-instances 的响应
我尝试启动命令 - aws iam list-instance-profiles,
它给了我以下错误 -
调用 ListInstanceProfiles 操作时发生错误 (AccessDenied):用户:无权执行:iam:ListInstanceProfiles 资源:
是的。如果您查看 aws ec2 describe-instances 命令生成的响应,您会注意到生成的 JSON 数据具有
IamInstanceProfile -> (structure)
The IAM instance profile associated with the instance, if applicable.
Arn -> (string)
The Amazon Resource Name (ARN) of the instance profile.
Id -> (string)
The ID of the instance profile.
稍后,您可以使用 iam cli interface 获取 policy/role 详细信息。
aws iam get-instance-profile --instance-profile-name <name here>
请运行 describe-instances 命令(OSX/Linux/UNIX)确定所选实例是否分配了任何 IAM Roles/Instance 配置文件:
aws ec2 describe-instances
--region us-east-1
--instance-ids i-07a2ad8872fb3226b
--query 'Reservations[*].Instances[*].IamInstanceProfile'
无需寻找 AWS CLI 安装您的机器,只要机器应该有互联网并且没有元数据的阻止。
您可以从 EC2 卷曲元数据:
curl -s http://169.254.169.254/latest/meta-data/iam/info |grep InstanceProfileArn | awk '{print }'
如果您使用 boto3 (Python):
import boto3
client = boto3.client('ec2')
response = client.describe_instances()
# Example 1 - Short version
for r in response['Reservations']:
for instance in r['Instances']:
if instance.get('IamInstanceProfile'):
print (instance['InstanceId'], instance['IamInstanceProfile'])
# Example 2 - Longer version
for r in response['Reservations']:
for instance in r['Instances']:
if instance.get('IamInstanceProfile'):
raw = client.describe_iam_instance_profile_associations(
Filters=[
{
'Name': 'instance-id',
'Values': [instance['InstanceId']]
}
]
)
current_res = raw.get('IamInstanceProfileAssociations')[0] # <----- We're passing only one instance id in filter so only one result is returned
print (current_res.get('InstanceId'), current_res.get('IamInstanceProfile'))
使用 boto3
ec2 = session.client('ec2')
iam = session.client('iam')
使用 ec2 客户端描述实例配置文件关联并获取实例配置文件名称
ec2.describe_iam_instance_profile_associations(Filters=[{'Name': 'instance-id','Values': ['i-02a1cde71XXXXXX']}])
回复:
{'IamInstanceProfileAssociations': [{'AssociationId': 'iip-assoc-0f7dd8ceeXXXXXX', 'InstanceId': 'i-02a1cde71XXXXXX', 'IamInstanceProfile': {'Arn': 'arn:aws:iam::12345679012:instance-profile/XYZ', 'Id': 'XXXXXXXXXXXXX'}, 'State': 'associated'}],....... }
使用 iam 客户端并执行 get_instance_profile 调用以获取与 instanceProfile
关联的 RoleName
iam.get_instance_profile(InstanceProfileName='XYZ')
回复:
{'InstanceProfile': {'Path': '/', 'InstanceProfileName': 'XYZ', 'InstanceProfileId': 'XXXXXXXXXXXXX', 'Arn': arn:aws:iam::12345679012:instance-profile/XYZ', 'CreateDate': datetime.datetime(2021, 6, 10, 16, 15, 8, tzinfo=tzutc()), 'Roles': [{'Path': '/', 'RoleName': 'ABCD', ............... 'RetryAttempts': 0}}
您可以选择使用 list_attached_role_policies 了解角色附加的托管策略是什么
iam.list_attached_role_policies(RoleName='ABCD')
回复:
{'AttachedPolicies': [{'PolicyName': 'EFG', 'PolicyArn': 'arn:aws:iam::12345679012:policy/EFG'}], 'IsTruncated': ......}}
如何检查哪些 IAM 角色及其策略 json 附加到 运行 EC2 实例?
是否可以通过 AWS CLI 实现?
这里是 aws ec2 ddescribe-instances 的响应
我尝试启动命令 - aws iam list-instance-profiles,
它给了我以下错误 -
调用 ListInstanceProfiles 操作时发生错误 (AccessDenied):用户:无权执行:iam:ListInstanceProfiles 资源:
是的。如果您查看 aws ec2 describe-instances 命令生成的响应,您会注意到生成的 JSON 数据具有
IamInstanceProfile-> (structure)The IAM instance profile associated with the instance, if applicable.
Arn-> (string)The Amazon Resource Name (ARN) of the instance profile.
Id-> (string)The ID of the instance profile.
稍后,您可以使用 iam cli interface 获取 policy/role 详细信息。
aws iam get-instance-profile --instance-profile-name <name here>
请运行 describe-instances 命令(OSX/Linux/UNIX)确定所选实例是否分配了任何 IAM Roles/Instance 配置文件:
aws ec2 describe-instances
--region us-east-1
--instance-ids i-07a2ad8872fb3226b
--query 'Reservations[*].Instances[*].IamInstanceProfile'
无需寻找 AWS CLI 安装您的机器,只要机器应该有互联网并且没有元数据的阻止。 您可以从 EC2 卷曲元数据:
curl -s http://169.254.169.254/latest/meta-data/iam/info |grep InstanceProfileArn | awk '{print }'
如果您使用 boto3 (Python):
import boto3
client = boto3.client('ec2')
response = client.describe_instances()
# Example 1 - Short version
for r in response['Reservations']:
for instance in r['Instances']:
if instance.get('IamInstanceProfile'):
print (instance['InstanceId'], instance['IamInstanceProfile'])
# Example 2 - Longer version
for r in response['Reservations']:
for instance in r['Instances']:
if instance.get('IamInstanceProfile'):
raw = client.describe_iam_instance_profile_associations(
Filters=[
{
'Name': 'instance-id',
'Values': [instance['InstanceId']]
}
]
)
current_res = raw.get('IamInstanceProfileAssociations')[0] # <----- We're passing only one instance id in filter so only one result is returned
print (current_res.get('InstanceId'), current_res.get('IamInstanceProfile'))
使用 boto3
ec2 = session.client('ec2')
iam = session.client('iam')
使用 ec2 客户端描述实例配置文件关联并获取实例配置文件名称
ec2.describe_iam_instance_profile_associations(Filters=[{'Name': 'instance-id','Values': ['i-02a1cde71XXXXXX']}])
回复:
{'IamInstanceProfileAssociations': [{'AssociationId': 'iip-assoc-0f7dd8ceeXXXXXX', 'InstanceId': 'i-02a1cde71XXXXXX', 'IamInstanceProfile': {'Arn': 'arn:aws:iam::12345679012:instance-profile/XYZ', 'Id': 'XXXXXXXXXXXXX'}, 'State': 'associated'}],....... }
使用 iam 客户端并执行 get_instance_profile 调用以获取与 instanceProfile
关联的 RoleNameiam.get_instance_profile(InstanceProfileName='XYZ')
回复:
{'InstanceProfile': {'Path': '/', 'InstanceProfileName': 'XYZ', 'InstanceProfileId': 'XXXXXXXXXXXXX', 'Arn': arn:aws:iam::12345679012:instance-profile/XYZ', 'CreateDate': datetime.datetime(2021, 6, 10, 16, 15, 8, tzinfo=tzutc()), 'Roles': [{'Path': '/', 'RoleName': 'ABCD', ............... 'RetryAttempts': 0}}
您可以选择使用 list_attached_role_policies 了解角色附加的托管策略是什么
iam.list_attached_role_policies(RoleName='ABCD')
回复:
{'AttachedPolicies': [{'PolicyName': 'EFG', 'PolicyArn': 'arn:aws:iam::12345679012:policy/EFG'}], 'IsTruncated': ......}}