Amazon Programming

Python

start guide
http://aws.amazon.com/sdk-for-python/

Don't look for solution on google because you will find boto old version things. use directly the laster boto3 documentation reference it is very similar to command line https://boto3.readthedocs.io/en/latest/reference/services/

a good ecplipse already configured with python module http://www.easyeclipse.org/site/plugins/pydev.html#getting-started

I have used ubuntu 12.04 to work with the last version of boto in eclipse you need to

  • download the latest boto tar.gz from here https://pypi.python.org/pypi/boto/#downloads and decompress
  • at the configuration time of pydev in eclipse "Windows > Preference —> Pydev> Interperter - Python" deselect /usr/lib/python2.7/dist-packages/ and add the new directory downloaded before.

here a piece of code to see if you are using or less the correct configuration

import boto.ec2
print boto.Version

Code

general code to initialize the environment

import subprocess
import boto.ec2
myaccesskey='******'
mysecretkey='******'
oregon="us-west-2"
ireland="eu-west-1"

conn = boto.ec2.connect_to_region(oregon, aws_access_key_id=myaccesskey,aws_secret_access_key=mysecretkey)
reservations = conn.get_all_reservations()

works with tags

functions to do something on not elastick beanstalk environment

def listnotbeanstalkmachine(reservations):
        for res in reservations:
            for inst in res.instances:
                if not ("elasticbeanstalk:environment-name" in inst.tags ):
                     print inst.tags["Name"]

compare the value of a tag, the first check avoid an exception if the tag os is not present

if ("os" in inst.tags) and (inst.tags["os"] == "windows") :

login inside the machine

  • you need to check if the machine is running and if it has a key set
  • there is the parameter to avoid to ask the key confirmation
  • you need to select the correct linuxuser using the tags to understand which is the correct one "ec2-user" or "ubuntu"
if (inst.state == "running") :
if (inst.key_name is not None):

noyesorno="StrictHostKeyChecking no"

subprocess.call(["ssh", "-t", "-t", "-p", "22", "-o", noyesorno, "-i", "/home/myhome/amazon/pem/"+inst.key_name+".pem" , linuxuser+"@"+inst.ip_address, command])

SSL verification problem

in boto3 it is enough use this parameter to avoid ssl checks
use_ssl=False

import boto3
client = boto3.client('ec2',"eu-west-1", use_ssl=False)

Find how many images you have with deleteontermination

#Read all the imgs and print how many are on delete on termination and how many are not
# DeleteOnTermination: 56
# Not DeleteOnTermination35
import boto3
ec2 = boto3.resource('ec2','eu-west-1', use_ssl=False)
client = boto3.client('ec2','eu-west-1', use_ssl=False)
res = client.describe_images(Owners=['self'])
imgs = res['Images']

deleted=0
notdeleted=0
for im in imgs:
    image = ec2.Image(im['ImageId'])
    if image.block_device_mappings[0]['Ebs']['DeleteOnTermination'] :
        deleted=deleted+1
    else:
        notdeleted=notdeleted+1

print 'DeleteOnTermination: '+str(deleted)
print 'Not DeleteOnTermination' + str(notdeleted)

related links:

tag an instance

import boto3
client = boto3.resource('ec2',verify=False,region_name='eu-west-1')
instance = client.Instance('i-000000111112222')
tag = instance.create_tags(Tags=[
        { 'Key': 'START', 'Value': '08:05' },
        { 'Key': 'START_DAYS', 'Value': 'Mo,Tu,We,Th,Fr' },
        { 'Key': 'STOP', 'Value': '20:55' },
        { 'Key': 'STOP_DAYS', 'Value': 'Mo,Tu,We,Th,Fr' },
        { 'Key': 'Creator', 'Value': 'Giuseppe Borgese' },
    ]
)
print tag

Assume role

The test

I did a working test on a single account , I need two accounts to be sure this will work as well

Starting Role arn:aws:iam::1234567890:role/assume-role

Trust Relashioship default lambda

Permissions :

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "sts:AssumeRole"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

Final Role arn:aws:iam::1234567890:role/s3-read-only-role

Permissions to read s3 for my test

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "lambda.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    },

trust policy

    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::1234567890:user/giuseppeborgese"
      },
      "Action": "sts:AssumeRole"
    },
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::1234567890:role/assume-role"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

The user was to do a test on my laptop the other one instead was the starting role from the other lambda role

The lambda call on the starting role

import boto3
import logging
import os

logger = logging.getLogger()
logger.setLevel(logging.INFO)

def lambda_handler(event, context):
    sts_client = boto3.client('sts')
    assumedRoleObject = sts_client.assume_role(
        RoleArn="arn:aws:iam::1234567890:role/s3-read-only-role",
        RoleSessionName="s3readonly"
    )

    credentials = assumedRoleObject['Credentials']

    s3_resource = boto3.resource('s3',
        aws_access_key_id = credentials['AccessKeyId'],
        aws_secret_access_key = credentials['SecretAccessKey'],
        aws_session_token = credentials['SessionToken'],
    )

    #client = boto3.client('s3')
    #logger.info("ECS task creation: {}".format(client.list_buckets()))
    #logger.info("ECS task creation: {}".format(s3_resource.list_buckets()))
    for bucket in s3_resource.buckets.all():
        return bucket.name

WARNING WHEN YOU MODIFY THE TRUST RELATIONSHIP IT IS NECESSARY A LITTLE BIT OF TIME FOR PROPAGATION

Salvo diversa indicazione, il contenuto di questa pagina è sotto licenza Creative Commons Attribution-ShareAlike 3.0 License