Reputation: 2139
Accessing multiple AWS accounts using boto3 without secret key?
I wrote a python script which is deployed in a EC2 Instance and lets say this EC2 reside in AWS account A1. Now my script from A1 want to access 10 other AWS account.
And remember I don't have any AWS_ACCESS_KEY or SECRET_KEY of any account cause using AWS_ACCESS_KEY or SECRET_KEY is strictly prohibited here.
I can easily do that if I have access key. But I can't figure it out how can I do that without access key?
Is there any possible way to do that?
Upvotes: 0
Views: 1328
Answers (3)
Reputation: 186
The EC2 should assume an IAM Role.
Then log in to all your 10 other accounts and create roles there. These roles should give cross account access to the EC2 instance role. It is also in these roles that you define what permissions the EC2 instance should have.
Upvotes: 2
Reputation: 54
You can do by assuming an IAM role. https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html
Upvotes: 0
Reputation: 2047
Storing AWS_ACCESS_KEY and AWS_SECRET_KEY in your code or EC2 instances is generally considered a bad practice.
You should handle permissions by attaching an IAM Role to the EC2 instance that is running your business logic (Docs here).
By doing that you will then need an appropriate IAM Role that has enough rights to perform the actions you need in the other accounts (Docs here).
Upvotes: 1
Related Questions
- Boto3: get credentials dynamically?
- Verify AWS Credentials with boto3
- Get AWS Account ID from Boto
- How to use all the credentials from .aws to execute Boto3 script?
- How to get all secrets from a different AWS accounts secret manager with Boto3?
- Using boto3 with temporary credentials
- boto3 EC2 client for each sub account
- AWS BOTO3 : Handling API keys
- AWS SES - Connect to boto set without exposing access keys in code
- get aws_secret_access_key to store in ~/.boto