Python boto3.client() Examples
The following are 30
code examples of boto3.client().
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example.
You may also want to check out all available functions/classes of the module
boto3
, or try the search function
.
.
Example #1
| Source File: lambda_handler.py From aws-auto-remediate with GNU General Public License v3.0 | 8 votes |
|
def get_settings(self):
"""Return the DynamoDB aws-auto-remediate-settings table in a Python dict format
Returns:
dict -- aws-auto-remediate-settings table
"""
settings = {}
try:
for record in boto3.client("dynamodb").scan(
TableName=os.environ["SETTINGSTABLE"]
)["Items"]:
record_json = dynamodb_json.loads(record, True)
settings[record_json["key"]] = record_json["value"]
except:
self.logging.error(
f"Could not read DynamoDB table '{os.environ['SETTINGSTABLE']}'."
)
self.logging.error(sys.exc_info()[1])
return settings
Example #2
| Source File: fire.py From fireprox with GNU General Public License v3.0 | 7 votes |
|
def __init__(self, arguments: argparse.Namespace, help_text: str):
self.profile_name = arguments.profile_name
self.access_key = arguments.access_key
self.secret_access_key = arguments.secret_access_key
self.session_token = arguments.session_token
self.region = arguments.region
self.command = arguments.command
self.api_id = arguments.api_id
self.url = arguments.url
self.api_list = []
self.client = None
self.help = help_text
if self.access_key and self.secret_access_key:
if not self.region:
self.error('Please provide a region with AWS credentials')
if not self.load_creds():
self.error('Unable to load AWS credentials')
if not self.command:
self.error('Please provide a valid command')
Example #3
| Source File: fire.py From fireprox with GNU General Public License v3.0 | 7 votes |
|
def update_api(self, api_id, url):
if not any([api_id, url]):
self.error('Please provide a valid API ID and URL end-point')
if url[-1] == '/':
url = url[:-1]
resource_id = self.get_resource(api_id)
if resource_id:
print(f'Found resource {resource_id} for {api_id}!')
response = self.client.update_integration(
restApiId=api_id,
resourceId=resource_id,
httpMethod='ANY',
patchOperations=[
{
'op': 'replace',
'path': '/uri',
'value': '{}/{}'.format(url, r'{proxy}'),
},
]
)
return response['uri'].replace('/{proxy}', '') == url
else:
self.error(f'Unable to update, no valid resource for {api_id}')
Example #4
| Source File: ssh.py From aegea with Apache License 2.0 | 6 votes |
|
def get_kms_auth_token(session, bless_config, lambda_regional_config):
logger.info("Requesting new KMS auth token in %s", lambda_regional_config["aws_region"])
token_not_before = datetime.datetime.utcnow() - datetime.timedelta(minutes=1)
token_not_after = token_not_before + datetime.timedelta(hours=1)
token = dict(not_before=token_not_before.strftime("%Y%m%dT%H%M%SZ"),
not_after=token_not_after.strftime("%Y%m%dT%H%M%SZ"))
encryption_context = {
"from": session.resource("iam").CurrentUser().user_name,
"to": bless_config["lambda_config"]["function_name"],
"user_type": "user"
}
kms = session.client('kms', region_name=lambda_regional_config["aws_region"])
res = kms.encrypt(KeyId=lambda_regional_config["kms_auth_key_id"],
Plaintext=json.dumps(token),
EncryptionContext=encryption_context)
return base64.b64encode(res["CiphertextBlob"]).decode()
Example #5
| Source File: pricing.py From aegea with Apache License 2.0 | 6 votes |
|
def describe_services():
client = boto3.client("pricing", region_name="us-east-1")
return paginate(client.get_paginator("describe_services"))
Example #6
| Source File: PortChange_Generatr.py From ChaoSlingr with Apache License 2.0 | 6 votes |
|
def lambda_handler(event, context):
print(event)
slingSG_List = []
optintag = ""
if "TagName" in event:
optintag = event['TagName']
slingSG_List = getSGList(optintag)
if len(slingSG_List) >= 1:
sgidnum = changeR(slingSG_List)
PortChange = addport(sgidnum)
Package = json.dumps(PortChange)
print(sgidnum + ' selected for slinging.')
print(Package)
response = client.invoke(
FunctionName='PortChange_Slingr',
InvocationType='Event',
Payload=Package
)
else:
print('No security groups with opt-in tags found. Doing nothing.')
else:
print("No opt-in tag specified. Doing nothing.")
#getSecGroupIPPermissions(sgidnum)
Example #7
| Source File: fire.py From fireprox with GNU General Public License v3.0 | 6 votes |
|
def _try_instance_profile(self) -> bool:
"""Try instance profile credentials
:return:
"""
try:
if not self.region:
self.client = boto3.client('apigateway')
else:
self.client = boto3.client(
'apigateway',
region_name=self.region
)
self.client.get_account()
self.region = self.client._client_config.region_name
return True
except:
return False
Example #8
| Source File: fire.py From fireprox with GNU General Public License v3.0 | 6 votes |
|
def create_api(self, url):
if not url:
self.error('Please provide a valid URL end-point')
print(f'Creating => {url}...')
template = self.get_template()
response = self.client.import_rest_api(
parameters={
'endpointConfigurationTypes': 'REGIONAL'
},
body=template
)
resource_id, proxy_url = self.create_deployment(response['id'])
self.store_api(
response['id'],
response['name'],
response['createdDate'],
response['version'],
url,
resource_id,
proxy_url
)
Example #9
| Source File: lambda_handler.py From aws-auto-remediate with GNU General Public License v3.0 | 6 votes |
|
def send_to_missing_remediation_topic(self, config_rule_name, config_payload):
"""Publishes a message onto the missing remediation SNS Topic. The topic should be subscribed to
by administrators to be aware when their security remediations are not fully covered.
Arguments:
config_rule_name {string} -- AWS Config Rule name
config_payload {dictionary} -- AWS Config Rule payload
"""
client = boto3.client("sns")
topic_arn = os.environ["MISSINGREMEDIATIONTOPIC"]
try:
client.publish(
TopicArn=topic_arn,
Message=json.dumps(config_payload),
Subject=f"No remediation available for Config Rule '{config_rule_name}'",
)
except:
self.logging.error(f"Could not publish to SNS Topic 'topic_arn'.")
Example #10
| Source File: log-parser.py From aws-waf-security-automations with Apache License 2.0 | 6 votes |
|
def write_output(bucket_name, key_name, output_key_name, outstanding_requesters):
logging.getLogger().debug('[write_output] Start')
try:
current_data = '/tmp/' + key_name.split('/')[-1] + '_LOCAL.json'
with open(current_data, 'w') as outfile:
json.dump(outstanding_requesters, outfile)
s3 = boto3.client('s3')
s3.upload_file(current_data, bucket_name, output_key_name, ExtraArgs={'ContentType': "application/json"})
remove(current_data)
except Exception as e:
logging.getLogger().error("[write_output] \tError to write output file")
logging.getLogger().error(e)
logging.getLogger().debug('[write_output] End')
Example #11
| Source File: environment.py From sqs-s3-logger with Apache License 2.0 | 6 votes |
|
def _schedule_function(self, function_arn, schedule):
LOGGER.info('Scheduling function {} to {}'.format(self._function_name, schedule))
events_client = boto.client('events')
trigger_name = '{}-trigger'.format(self._function_name)
rule_response = events_client.put_rule(
Name=trigger_name,
ScheduleExpression=schedule,
State='ENABLED',
)
self._lambda_client.add_permission(
FunctionName=self._function_name,
StatementId="{0}-Event".format(trigger_name),
Action='lambda:InvokeFunction',
Principal='events.amazonaws.com',
SourceArn=rule_response['RuleArn'],
)
events_client.put_targets(
Rule=trigger_name,
Targets=[{'Id': "1", 'Arn': function_arn}]
)
Example #12
| Source File: ami.py From cloudformation-ami with MIT License | 6 votes |
|
def create_ami(instance_id, image_params):
client = boto3.client('ec2')
# stop the instance so we don't get charged for the template instance running time after the AMI is created
client.stop_instances(InstanceIds=[instance_id])
waiter = client.get_waiter('instance_stopped')
waiter.wait(InstanceIds=[instance_id])
for forbidden_param in ['InstanceId', 'NoReboot', 'DryRun']:
if forbidden_param in image_params:
del image_params[forbidden_param]
response = client.create_image(
InstanceId=instance_id,
**image_params
)
ami_id = response['ImageId']
return ami_id
Example #13
| Source File: ami.py From cloudformation-ami with MIT License | 6 votes |
|
def status_is_ok(instance_id):
response = boto3.client('ec2').describe_instance_status(
InstanceIds=[
instance_id,
]
)
print('status response:', response)
instance_statuses = response['InstanceStatuses']
instance_statuses = list(filter(lambda s: s['InstanceId'] == instance_id, instance_statuses))
assert len(instance_statuses) <= 1
if not instance_statuses:
return False
instance_status = instance_statuses[0]
return instance_status['InstanceStatus']['Status'] == 'ok' and instance_status['SystemStatus']['Status'] == 'ok'
Example #14
| Source File: creation_certificates.py From harmony-ops with MIT License | 6 votes |
|
def request_ssl_certificates(region, dn):
"""
Notes:
* idempotent ops
* store CertificateArn to dict_region_sslcerts
"""
acm_client = boto3.client(service_name='acm', region_name=region)
try:
resp = acm_client.request_certificate(
DomainName=dn,
ValidationMethod='DNS',
IdempotencyToken='112358',
)
dict_region_sslcerts[region].append(resp['CertificateArn'])
print("[INFO] creating ssl certificate in region " + region + " for domain name " + dn)
print(dn + ': ' + resp['CertificateArn'])
except Exception as e:
print("[ERROR] Unexpected error to request certificates: %s" % e)
Example #15
| Source File: creation_certificates.py From harmony-ops with MIT License | 6 votes |
|
def get_existing_certs(region, dn):
acm_client = boto3.client(service_name='acm', region_name=region)
dict_exist_sslcerts.clear()
try:
resp = acm_client.list_certificates(
CertificateStatuses=['ISSUED', 'PENDING_VALIDATION'],
MaxItems=1000,
)
for cert in resp['CertificateSummaryList']:
if dn == cert['DomainName']:
dict_exist_sslcerts[cert['DomainName']].append(cert['CertificateArn'])
# pp.pprint(dict_exist_sslcerts)
return dict_exist_sslcerts
except Exception as e:
print("[ERROR] Unexpected error to get exist certificates: %s" % e)
Example #16
| Source File: add_me_to_ops_automator_role.py From aws-ops-automator with Apache License 2.0 | 6 votes |
|
def add_me_to_role(stack, principal):
role_resource = boto3.client("cloudformation").describe_stack_resource(
StackName=stack, LogicalResourceId="OpsAutomatorLambdaRole").get("StackResourceDetail", None)
role_name = role_resource["PhysicalResourceId"]
role = boto3.client("iam").get_role(RoleName=role_name).get("Role", {})
assume_role_policy_document = role.get("AssumeRolePolicyDocument", {})
statement = assume_role_policy_document.get("Statement", [])
for s in statement:
if s["Principal"].get("AWS", "") == principal:
break
else:
statement.append({"Action": "sts:AssumeRole", "Effect": "Allow", "Principal": {"AWS": principal}})
boto3.client("iam").update_assume_role_policy(
RoleName=role_name,
PolicyDocument=json.dumps(assume_role_policy_document)
)
print(("Principal {} can now assume role {}".format(principal, role_name)))
Example #17
| Source File: forward-events.py From aws-ops-automator with Apache License 2.0 | 6 votes |
|
def lambda_handler(event, _):
print("Ops Automator Events Forwarder (version %version%)")
destination_region = os.getenv("OPS_AUTOMATOR_REGION", "")
destination_account = os.getenv("OPS_AUTOMATOR_ACCOUNT")
source = event.get("source", "")
detail_type = event.get("detail-type", "")
if ((event.get("region", "") != destination_region) or (event.get("account", "") != destination_account)) and \
detail_type in FORWARDED_EVENTS.get(source, []):
destination_region_sns_client = boto3.client("sns", region_name=destination_region)
try:
topic = os.getenv("OPS_AUTOMATOR_TOPIC_ARN")
destination_region_sns_client.publish(TopicArn=topic, Message=json.dumps(event))
print((INF_FORWARDED.format(source, detail_type, destination_region, destination_account, topic, str(event))))
return "OK"
except Exception as ex:
raise Exception(ERR_FAILED_FORWARD, str(event), ex)
else:
print((INF_EVENT_ALREADY_IN_REGION.format(source, detail_type, destination_region)))
Example #18
| Source File: cloudwatch_queue_handler_lambda.py From aws-ops-automator with Apache License 2.0 | 6 votes |
|
def __init__(self):
self.log_group = os.environ[ENV_LOG_GROUP]
max_put_calls_per_account = int(os.getenv(ENV_CWL_LIMIT_PUT_CALLS_PER_ACCOUNT, DEFAULT_CWL_LIMIT_PUT_CALLS_PER_ACCOUNT))
self._max_put_call_account_throttling = Throttle(max_put_calls_per_account)
self.max_put_calls_per_stream = int(os.getenv(ENV_CWL_LIMIT_PUT_CALLS_PER_STREAM, DEFAULT_CWL_LIMIT_PUT_CALLS_PER_STREAM))
self._max_put_call_stream_throttling = {}
max_api_calls = int(os.getenv(ENV_CWL_LIMIT_API_CALLS, DEFAULT_CWL_LIMIT_API_CALLS))
self._max_cwl_api_calls = Throttle(max_api_calls)
self._log_client = boto3.client("logs")
self._stream_tokens = {}
self._buffer = collections.OrderedDict()
self._buffer_size = 0
self.fifo = None
Example #19
| Source File: __init__.py From aws-ops-automator with Apache License 2.0 | 6 votes |
|
def set_dynamodb_tags(ddb_client, resource_arns, tags, can_delete=True, logger=None):
def create_tags(client, resources, created_tags):
for arn in resources:
client.tag_resource_with_retries(ResourceArn=arn, Tags=created_tags)
def delete_tags(client, resources, deleted_tags):
for arn in resources:
client.untag_resource_with_retries(ResourceArn=arn, TagKeys=deleted_tags)
_set_resource_tags(client=ddb_client,
resources=resource_arns,
tags=tags,
create_func=create_tags,
delete_func=delete_tags,
logger=logger,
can_delete=can_delete)
Example #20
| Source File: __init__.py From aws-ops-automator with Apache License 2.0 | 6 votes |
|
def set_storagegateway_tags(sgw_client, resource_arns, tags, can_delete=True, logger=None):
def create_tags(client, resources, created_tags):
for arn in resources:
client.add_tags_to_resource_with_retries(ResourceARN=arn, Tags=created_tags)
def delete_tags(client, resources, deleted_tags):
for arn in resources:
client.remove_tags_from_resource_with_retries(ResourceARN=arn, TagKeys=deleted_tags)
_set_resource_tags(client=sgw_client,
resources=resource_arns,
tags=tags,
create_func=create_tags,
delete_func=delete_tags,
logger=logger,
can_delete=can_delete)
Example #21
| Source File: __init__.py From aws-ops-automator with Apache License 2.0 | 6 votes |
|
def _set_resource_tags(client, resources, tags, create_func, delete_func, can_delete=True, logger=None):
tag_set = copy.deepcopy(tags)
resource_list = resources if isinstance(resources, list) else [resources]
tags_to_delete = [t for t in tags if tag_set[t] == TAG_DELETE]
if len(tags_to_delete) > 0:
if can_delete:
for t in tags_to_delete:
del tag_set[t]
delete_func(client, resource_list, tags_to_delete)
else:
if logger is not None:
logger.warning(WARN_TAGS_CANNOT_BE_DELETED, ",".join(tags_to_delete))
if len(tag_set) > 0:
create_func(client, resource_list, tag_key_value_list(tag_set))
Example #22
| Source File: __init__.py From aws-ops-automator with Apache License 2.0 | 6 votes |
|
def get_session(role_arn=None, sts_client=None, logger=None):
if role_arn not in [None, ""]:
sts = sts_client if sts_client is not None else boto3.client("sts")
account = account_from_role_arn(role_arn)
try:
token = sts.assume_role(RoleArn=role_arn, RoleSessionName="{}-{}".format(account, str(uuid.uuid4())))
except botocore.exceptions.ClientError as ex:
if logger is not None:
logger.error(ERR_ASSUME_ROLE_FOR_ARN, role_arn, ex)
raise ex
credentials = token["Credentials"]
return boto3.Session(aws_access_key_id=credentials["AccessKeyId"],
aws_secret_access_key=credentials["SecretAccessKey"],
aws_session_token=credentials["SessionToken"])
else:
role = os.getenv(ENV_ROLE_ARN)
if role is not None:
return get_session(role, sts_client)
return boto3.Session()
Example #23
| Source File: aws_service.py From aws-ops-automator with Apache License 2.0 | 6 votes |
|
def _map_describe_function_parameters(self, resources, args):
"""
Maps the parameter names passed to the service class describe call to names used to make the call the the boto
service client describe call
:param resources: Name of the resource type
:param args: parameters to be mapped
:return: mapped parameters
"""
if len(self._mapped) == 0:
return args
mapped_args = args.copy()
for arg in self._mapped:
if arg in mapped_args:
mapped_args[self._mapped[arg]] = args[arg]
del mapped_args[arg]
return mapped_args
Example #24
| Source File: ssh.py From aegea with Apache License 2.0 | 5 votes |
|
def ensure_bless_ssh_cert(ssh_key_name, bless_config, use_kms_auth, max_cert_age=1800):
ssh_key = ensure_local_ssh_key(ssh_key_name)
ssh_key_filename = get_ssh_key_path(ssh_key_name)
ssh_cert_filename = ssh_key_filename + "-cert.pub"
if os.path.exists(ssh_cert_filename) and time.time() - os.stat(ssh_cert_filename).st_mtime < max_cert_age:
logger.info("Using cached Bless SSH certificate %s", ssh_cert_filename)
return ssh_cert_filename
logger.info("Requesting new Bless SSH certificate")
for lambda_regional_config in bless_config["lambda_config"]["regions"]:
if lambda_regional_config["aws_region"] == clients.ec2.meta.region_name:
break
session = boto3.Session(profile_name=bless_config["client_config"]["aws_user_profile"])
iam = session.resource("iam")
sts = session.client("sts")
assume_role_res = sts.assume_role(RoleArn=bless_config["lambda_config"]["role_arn"], RoleSessionName=__name__)
awslambda = boto3.client('lambda',
region_name=lambda_regional_config["aws_region"],
aws_access_key_id=assume_role_res['Credentials']['AccessKeyId'],
aws_secret_access_key=assume_role_res['Credentials']['SecretAccessKey'],
aws_session_token=assume_role_res['Credentials']['SessionToken'])
bless_input = dict(bastion_user=iam.CurrentUser().user_name,
bastion_user_ip="0.0.0.0/0",
bastion_ips=",".join(bless_config["client_config"]["bastion_ips"]),
remote_usernames=",".join(bless_config["client_config"]["remote_users"]),
public_key_to_sign=get_public_key_from_pair(ssh_key),
command="*")
if use_kms_auth:
bless_input["kmsauth_token"] = get_kms_auth_token(session=session,
bless_config=bless_config,
lambda_regional_config=lambda_regional_config)
res = awslambda.invoke(FunctionName=bless_config["lambda_config"]["function_name"], Payload=json.dumps(bless_input))
bless_output = json.loads(res["Payload"].read().decode())
if "certificate" not in bless_output:
raise AegeaException("Error while requesting Bless SSH certificate: {}".format(bless_output))
with open(ssh_cert_filename, "w") as fh:
fh.write(bless_output["certificate"])
return ssh_cert_filename
Example #25
| Source File: __init__.py From aegea with Apache License 2.0 | 5 votes |
|
def get_pricing_data(service_code, filters=None, max_cache_age_days=30):
from ... import config
if filters is None:
filters = [("location", region_name(clients.ec2.meta.region_name))]
get_products_args = dict(ServiceCode=service_code,
Filters=[dict(Type="TERM_MATCH", Field=k, Value=v) for k, v in filters])
cache_key = hashlib.sha256(json.dumps(get_products_args, sort_keys=True).encode()).hexdigest()[:32]
service_code_filename = os.path.join(config.user_config_dir, "pricing_cache_{}.json.gz".format(cache_key))
try:
cache_date = datetime.fromtimestamp(os.path.getmtime(service_code_filename))
if cache_date < datetime.now() - timedelta(days=max_cache_age_days):
raise Exception("Cache is too old, discard")
with gzip.open(service_code_filename) as gz_fh:
with io.BufferedReader(gz_fh) as buf_fh:
pricing_data = json.loads(buf_fh.read().decode())
except Exception:
logger.info("Fetching pricing data for %s", service_code)
client = boto3.client("pricing", region_name="us-east-1")
pricing_data = [json.loads(p) for p in paginate(client.get_paginator("get_products"), **get_products_args)]
try:
with gzip.open(service_code_filename, "w") as fh:
fh.write(json.dumps(pricing_data).encode())
except Exception as e:
print(e, file=sys.stderr)
return pricing_data
Example #26
| Source File: fire.py From fireprox with GNU General Public License v3.0 | 5 votes |
|
def list_api(self, deleted_api_id=None):
response = self.client.get_rest_apis()
for item in response['items']:
try:
created_dt = item['createdDate']
api_id = item['id']
name = item['name']
proxy_url = self.get_integration(api_id).replace('{proxy}', '')
url = f'https://{api_id}.execute-api.{self.region}.amazonaws.com/fireprox/'
if not api_id == deleted_api_id:
print(f'[{created_dt}] ({api_id}) {name}: {url} => {proxy_url}')
except:
pass
return response['items']
Example #27
| Source File: fire.py From fireprox with GNU General Public License v3.0 | 5 votes |
|
def create_deployment(self, api_id):
if not api_id:
self.error('Please provide a valid API ID')
response = self.client.create_deployment(
restApiId=api_id,
stageName='fireprox',
stageDescription='FireProx Prod',
description='FireProx Production Deployment'
)
resource_id = response['id']
return (resource_id,
f'https://{api_id}.execute-api.{self.region}.amazonaws.com/fireprox/')
Example #28
| Source File: fire.py From fireprox with GNU General Public License v3.0 | 5 votes |
|
def get_resource(self, api_id):
if not api_id:
self.error('Please provide a valid API ID')
response = self.client.get_resources(restApiId=api_id)
items = response['items']
for item in items:
item_id = item['id']
item_path = item['path']
if item_path == '/{proxy+}':
return item_id
return None
Example #29
| Source File: fire.py From fireprox with GNU General Public License v3.0 | 5 votes |
|
def get_integration(self, api_id):
if not api_id:
self.error('Please provide a valid API ID')
resource_id = self.get_resource(api_id)
response = self.client.get_integration(
restApiId=api_id,
resourceId=resource_id,
httpMethod='ANY'
)
return response['uri']
Example #30
| Source File: config_rules.py From aws-auto-remediate with GNU General Public License v3.0 | 5 votes |
|
def client_rds(self):
if not self._client_rds:
self._client_rds = boto3.client("rds")
return self._client_rds
