Multiple Authentication Methods for AWS Clients

The script market supports various authentication methods for AWS clients. Users complete authorization by configuring the account parameter, and the following text explains various authentication code examples.

1. IAM User Has Direct Access Permissions to Resources

Code Example

Python
# Please fill in the following configuration according to the actual situation
# For details, please refer to：https://func.guance.com/doc/script-market-guance-aws-ec2/

# AWS AK
account = {
    "ak_id"    : "<AWS AK ID>",
    "ak_secret": "<AWS AK SECRET>",
}

# collector configuration
collector_configs = {
    'regions': ['cn-northwest-1']
}

###### Do not modify the following content #####
from guance_integration__runner import Runner
import guance_aws_ec2__main as main

@DFF.API('AWS-EC2 Collection', timeout=3600, fixed_crontab='*/15 * * * *')
def run():
    Runner(main.DataCollector(account, collector_configs)).run()

Explanation of account Fields

ak_id: Created by the user, access key (long-term credentials)
ak_secret: Created by the user, access secret (long-term credentials)

2. IAM User with Role Assumption (Using STS)

Code Example

Python
# Please fill in the following configuration according to the actual situation
# For details, please refer to：https://func.guance.com/doc/script-market-guance-aws-ec2/

# AWS AK
account = {
    "ak_id"            : "<AWS AK ID>",
    "ak_secret"        : "<AWS AK SECRET>",
    "assume_role_arn"  : "<AWS ASSUME ROLE ARN>",
    "external_id"      : "<AWS EXTERNAL ID>",
    "role_session_name": "<AWS ROLE SESSION NAME>"
}

# collector configuration
collector_configs = {
    'regions': ['cn-northwest-1']
}

###### Do not modify the following content #####
from guance_integration__runner import Runner
import guance_aws_ec2__main as main

@DFF.API('AWS-EC2 Collection', timeout=3600, fixed_crontab='*/15 * * * *')
def run():
    Runner(main.DataCollector(account, configs=collector_configs)).run()

Explanation of account Fields

ak_id: As above, required.
ak_secret: As above, required.
assume_role_arn: The ARN (Amazon Resource Name) of a role that has permissions to access resources, required.
role_session_name: The name of the role session (AWS explanation: This string value can identify sessions when different principals use the role. For security reasons, administrators can view this field in AWS CloudTrail logs to help identify who has performed actions in AWS. Your administrator might require you to specify an IAM username as the session name when assuming a role. For more information, see sts:RoleSessionName.), optional, default: "guance".
external_id: External ID, optional, if the role being assumed does not require an external ID, it can be omitted.

3. User Enabled Multi-Factor Authentication (MFA)

Code Example

Python
# Please fill in the following configuration according to the actual situation
# For details, please refer to：https://func.guance.com/doc/script-market-guance-aws-ec2/

# AWS AK
account = {
    "ak_id"            : "<AWS AK ID>",
    "ak_secret"        : "<AWS AK SECRET>",
    "assume_role_arn"  : "<AWS ASSUME ROLE ARN>",
    "role_session_name": "<AWS ROLE SESSION NAME>",
    "serial_number"    : "<MFA DEVICE NUMBER>",
    "token_code"       : "<MFA TOTP>",
}

# collector configuration
collector_configs = {
    'regions': ['cn-northwest-1']
}

###### Do not modify the following content #####
from guance_integration__runner import Runner
import guance_aws_ec2__main as main

@DFF.API('AWS-EC2 Collection', timeout=3600, fixed_crontab='*/15 * * * *')
def run():
    Runner(main.DataCollector(account, configs=collector_configs)).run()

Explanation of account Fields

ak_id: As above, required.
ak_secret: As above, required.
assume_role_arn: As above, optional.
role_session_name: As above, optional.
external_id: External ID, as above, optional.
serial_number: Identifier for the MFA device.
token_code: A one-time code provided by the MFA device.

To access resources protected by policies with MFA conditions, you can either assume a role or not. In the example, assuming a role is shown; if not needed, you can remove the assume_role_arn and role_session_name fields.

4. IAM Role Authentication Applicable to Amazon EC2

Python
# Please fill in the following configuration according to the actual situation
# For details, please refer to：https://func.guance.com/doc/script-market-guance-aws-ec2/

account = {
    "extra_tags": {
        "account_name": "role for ec2", # Your Account Name
    }
}

# collector configuration
collector_configs = {
    'regions': ['cn-northwest-1']
}

###### Do not modify the following content #####
from guance_integration__runner import Runner
import guance_aws_ec2__main as main

@DFF.API('AWS-EC2 Collection', timeout=3600, fixed_crontab='*/15 * * * *')
def run():
    Runner(main.DataCollector(account, configs=collector_configs)).run()

Explanation of account Fields

When using IAM role authentication with EC2, there's no need to configure AK-related information. If you want to add some extra tags, they can still be configured within extra_tags.

5. Common Issues

How to Determine Account Policy Permissions

To enable the collector, the user needs permissions to access resources. Permission policies can be referenced from the corresponding resource collector documentation under the "IAM Policy Permissions" section. You can also use AWS-managed policies like "ReadOnlyAccess" or "SecurityAudit," which provide read-only access to all AWS services and resources, meeting most collectors' permission requirements (if not satisfied, refer to the corresponding collector documentation).

X. Appendix

AWS Access Keys

AWS Request Temporary Security Credentials

AWS Multi-Factor Authentication

Managed Policies vs Inline Policies

ReadOnlyAccess Managed Policy

IAM Roles for Amazon EC2