We recommend switching to the latest versions of Edge, Firefox, Chrome or Safari. Using Internet Explorer will result in a loss of website functionality.

Analyze connect cross-account to AWS services (other than S3)

Comments

3 comments

  • Avatar
    Oliver Steadman

    As I recall it was simply the adding of these fields (see screenshot); however the means by which we currently read other services (see https://support.infogix.com/hc/en-us/community/posts/360050775114) is boto3 rather than for instance a dedicated "GlueGET" node.

    0
    Comment actions Permalink
  • Avatar
    Oliver Steadman

    Think I've solved this by following advice at https://www.slsmk.com/use-boto3-to-assume-a-role-in-another-aws-account/

    import boto3
    
    # Create session using your current creds
    boto_sts=boto3.client('sts')
    
    # Request to assume the role like this, the ARN is the Role's ARN from 
    # the other account you wish to assume. Not your current ARN.
    stsresponse = boto_sts.assume_role(
        RoleArn="OtherAccountARNGoesHere",
        RoleSessionName='newsession'
    )
    
    # Save the details from assumed role into vars
    newsession_id = stsresponse["Credentials"]["AccessKeyId"]
    newsession_key = stsresponse["Credentials"]["SecretAccessKey"]
    newsession_token = stsresponse["Credentials"]["SessionToken"]
    
    # Use the assumed session vars to create a new boto3 client with the assumed role creds
    # Here I create an s3 client using the assumed creds.
    s3_assumed_client = boto3.client(
        's3',
        region_name='us-east-1',
        aws_access_key_id=newsession_id,
        aws_secret_access_key=newsession_key,
        aws_session_token=newsession_token
    )
    
    # Here I create an s3 resource with the assumed creds
    s3_assumed_resource = boto3.resource(
        's3',
        region_name='us-east-1',
        aws_access_key_id=newsession_id,
        aws_secret_access_key=newsession_key,
        aws_session_token=newsession_token
    )
    
    # Now we can use s3_assumed session for calls using the assumed role.
    # As in this example where I list buckets using the assumed creds
    response = s3_assumed_client.list_buckets()
    
    # Or like this use of the resource to create a bucket object.
    mybucket = s3_assumed_resource.Bucket('OtherAccountBucket')
    0
    Comment actions Permalink
  • Avatar
    Adrian Williams

    We are glad you managed to find a solution.

    The S3 nodes are Java-based rather than using the Python boto3 module. The changes made to the nodes were to allow them to leverage the capabilities of the AWS SDK described here:

    https://docs.aws.amazon.com/AmazonS3/latest/dev/AuthUsingTempSessionTokenJava.html

    0
    Comment actions Permalink

Please sign in to leave a comment.