Reputation: 33
Egress Security Policy with Boto
I'm attempting to create an outbound security group policy for sg1 that has another security group sg2 as the destination. According to the authorize_egress() documentation:
IpPermissions->IPRanges->CidrIp — You can either specify a CIDR range or a source security group, not both. To specify a single IPv4 address, use the /32 prefix length.
SourceSecurityGroupName — Not supported. Use a set of IP permissions to specify a destination security group.
However, the following code fails with an unexpected parameter type error — does anyone know the syntax for this and/or what I'm doing wrong?
sg1 = ec2.create_security_group(GroupName=sg1, Description=sg1, VpcId=vpc.id)
sg1_policy_egress = [{
'IpProtocol': 'tcp',
'FromPort': 443,
'ToPort': 443,
'IpRanges': [{
'CidrIp': sg2
}]
}]
sg1.authorize_egress(IpPermissions=sg1_policy_egress)
Upvotes: 2
Views: 322
Answers (1)
Reputation: 2758
You can't specify groups in the IpRanges list. You need to use the UserIdGroupPairs list instead. I recommend using the sg2 group ID value for the GroupId field. Other ways to specify the destination group are possible, but are not needed for the case you describe.
Specifically you want:
sg1_policy_egress = [{
'IpProtocol': 'tcp',
'FromPort': 443,
'ToPort': 443,
'UserIdGroupPairs': [{
'GroupId': sg2
}]
}]
Upvotes: 2
Related Questions
- Unable to create Policy using boto3
- boto3 and AWS Athena permission
- AWS BOTO3 : Handling API keys
- AWS SES - Connect to boto set without exposing access keys in code
- AWS boto3 create_policy() - specify policyDocument
- Boto and Python on AWS
- Required AWS Policies to run BOTO Python library for ec2.py
- How do you create roles and policies with Boto 3?
- Using Python Boto with AWS Support API
- How to modify access policies in cloudsearch via boto