本文介绍了如何使用Boto3在Cloudformation中获取API网关的预签名URL?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我想调用Cloudformation中维护的API网关。我有Cloudformation堆栈名称( CF_STACK_NAME ),API网关资源名称( API_GATEWAY_NAME )和Cloudformation名称我需要承担IAM角色( API_ROLE_NAME )。

I want to make a call to an API Gateway maintained in Cloudformation. I have the Cloudformation stack name (CF_STACK_NAME), the API Gateway resource name (API_GATEWAY_NAME), and Cloudformation name of the IAM Role I need to assume (API_ROLE_NAME).

我可以通过以下方式进入Cloudformation堆栈:

I can get to my Cloudformation stack via,

cf_client = boto3.client('cloudformation')
api_role_resource = cf_client.describe_stack_resource(
       StackName=CF_STACK_NAME,
       LogicalResourceId=API_ROLE_NAME
)
api_resource = cf_client.describe_stack_resource(
       StackName=CF_STACK_NAME,
       LogicalResourceId=API_GATEWAY_NAME
)

从阅读,我看到了如何获取该角色的密钥,

From reading Switching to an IAM Role, I see how to get my keys for the role,

sts_client = boto3.client('sts')
credentials = sts_client.assume_role(
    RoleArn='arn:aws:iam::{account_id}:role/{role_name}'.format(
        account_id=sts_client.get_caller_identity().get('Account'),
        role_name=api_role_resource['PhysicalResourceId']
    ),
    RoleSessionName="AssumeRoleSession1"
)['Credentials']

但是当我想调用API网址时,

But when I want to call the API url,

apigateway_client     = boto3.client('apigateway')
restapi_id = apigateway_client.get_rest_api(restApiId=api_logical_id)['id']
url = f'https://{restapi_id}.execute-api.{region}.amazonaws.com/{stage}/{api_query}

api_output = requests.get(url).json()

我得到了

An error occurred (AccessDeniedException) when calling the GetRestApi operation: User: arn:aws:iam::0123456789:user/my-user is not authorized to perform: apigateway:GET on resource: arn:aws:apigateway:us-west-2::/restapis/ServerlessRestApi

如何进行API调用使用此CloudFormation信息?

How do I make my API call using this CloudFormation info?

推荐答案

我的猜测是您没有使用STS的新凭据。

My guess is that you are not using the new credentials from STS.

您将需要使用新的凭据(使用以下代码)来创建apigateway客户端:

You will need to create the apigateway client using the new credentials using code like this:

client = boto3.client(
       'apigateway',
        aws_access_key_id=credentials['Credentials']['AccessKeyId'],
        aws_secret_access_key=credentials['Credentials']['SecretAccessKey'],
        aws_session_token=credentials['Credentials']['SessionToken'])

这篇关于如何使用Boto3在Cloudformation中获取API网关的预签名URL?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

10-11 07:03