上一篇文章已经说过可以创建跨用户授权,但是我们获取到的AK/SK是针对当前用户的,如果要通过程序访问外部用户,就必须使用STS请求临时AK/SK.
获取到的临时AK/SK有效期是12小时(最长,可调节),所以如果想一直用,就必须保留自己的AK/SK,定期刷新短期AK/SK.
之前说到生产账号的事情,这个依然是分开发账号和生产账号.
import boto3 client = boto3.client('sts',region_name='us-east-1',aws_access_key_id=[开发账号AK],aws_secret_access_key=[开发账号SK]) response = client.assume_role( RoleArn = 'arn:aws:iam::[生产账号ID]:role/[生产账号交叉角色名]', RoleSessionName = '[会话名]', DurationSeconds = 43200 )['Credentials'] s3client = boto3.client('s3',region_name='us-east-1',aws_access_key_id=response['AccessKeyId'],aws_secret_access_key=response['SecretAccessKey'],aws_session_token=response['SessionToken']) response = s3client.list_buckets() print(response['Buckets'])
然后就可以按照正常Client操作了,上述操作我的返回是这样的,列出了我的Bucket.
[{'Name': '2e728ce88125', 'CreationDate': datetime.datetime(2020, 1, 8, 5, 45, 41, tzinfo=tzutc())}]
当然也可以按照Cron方式定期更新授权文件啦~
credentials = ''' [default] aws_access_key_id=%s aws_secret_access_key=%s aws_session_token=%s ''' % ( response['AccessKeyId'] , response['SecretAccessKey'] , response['SessionToken'] ) fo = open("/root/.aws/credentials", "w") fo.write(credentials) fo.close()
这样就可以实现,让AWS Education Starter Account拥有一个看起来是长授权(其实是每12小时自动刷新)的Token了~