我正在研究一个lambda函数,该函数从CloudTrail获取事件并对其进行分析。
我有这个脚本:
s3.download_file(bucket, key, download_path)
with gzip.open(download_path, "r") as f:
data = json.loads(f.read())
print json.dumps(data)
for event in data['Records']:
if event['eventName'] in event_list:
dateEvent = datetime.strptime(event['eventTime'], "%Y-%m-%dT%H:%M:%SZ")
for element in event['userIdentity']:
for session in element[0]['sessionContext']:
username = session['userName']
role = session['arn']
我无法摆脱userName和arn的价值。我收到这个错误:
string indices must be integers: TypeError
Traceback (most recent call last):
File "/var/task/lambda_function.py", line 34, in lambda_handler
for session in element[0]['sessionContext']:
TypeError: string indices must be integers
如何做到这一点?什么是正确的方法?
这是json字符串:
"userIdentity": {
"principalId": "aaaaaaaaaaaaaaaaaaaa",
"accessKeyId": "aaaaaaaaaaaaaaaaaaaaa",
"sessionContext": {
"sessionIssuer": {
"userName": "aaaaaaaaaaaaa",
"type": "Role",
"arn": "arn:aws:iam::aaaaaaaaaaaaaaaaaa:role/aaaaaaa",
"principalId": "aaaaaaaaaaaaaaaaaa",
"accountId": "aaaaaaaaaaaaaaaaaaa"
},
"attributes": {
"creationDate": "2017-09-14T15:03:08Z",
"mfaAuthenticated": "false"
}
},
"type": "AssumedRole",
"arn": "aaaaaaaaaaaaaaaaaaaaaaaa",
"accountId": "aaaaaaaaaaaaaaaaaa"
},
答案 0 :(得分:2)
userIdentity元素可能有也可能没有sessionContext元素,因为只有在该事件期间使用临时IAM凭据时才存在这些元素。
没有userIdentity的{{1}}元素如下所示:
sessionContext但"userIdentity": {
"type": "IAMUser",
"principalId": "AIDAJ45Q7YFFAREXAMPLE",
"arn": "arn:aws:iam::123456789012:user/Alice",
"accountId": "123456789012",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"userName": "Alice"
}
元素userIdentity看起来像这样:
sessionContext......如果没有发生角色联盟,它甚至可能看起来像这样。
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROAIDPPEZS35WEXAMPLE:AssumedRoleSessionName",
"arn": "arn:aws:sts::123456789012:assumed-role/RoleToBeAssumed/MySessionName",
"accountId": "123456789012",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"sessionContext": {
"attributes": {
"creationDate": "20131102T010628Z",
"mfaAuthenticated": "false"
},
"sessionIssuer": {
"type": "Role",
"principalId": "AROAIDPPEZS35WEXAMPLE",
"arn": "arn:aws:iam::123456789012:role/RoleToBeAssumed",
"accountId": "123456789012",
"userName": "RoleToBeAssumed"
}
}
}
回到你的代码:
"userIdentity": {
"type": "IAMUser",
"principalId": "EX_PRINCIPAL_ID",
"arn": "arn:aws:iam::123456789012:user/Alice",
"accountId": "123456789012",
"accessKeyId": "EXAMPLE_KEY_ID",
"userName": "Alice",
"sessionContext": {"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2014-03-06T15:15:06Z"
}}
}
for element in event['userIdentity']:
for session in element[0]['sessionContext']:
username = session['userName']
role = session['arn']
不存在,因为element[0]不是列表。
如果你想获取已使用或假定的用户名和角色ARN,我认为这样可行。它会考虑直接通过sessionContext或IAMUser完成的事件。
AssumedRole作为处理循环的一部分:
user_identity = event['userIdentity']
# check to see if we have a sessionContext[sessionIssuer]
if 'sessionIssuer' in user_identity.get('sessionContext', {}):
user_name = user_identity['sessionContext']['sessionIssuer']['userName']
arn = user_identity['sessionContext']['sessionIssuer']['arn']
else:
user_name = user_identity['userName']
arn = user_identity['arn']