我想调用在Cloudformation中维护的API网关。我有Cloudformation堆栈名称(CF_STACK_NAME),API网关资源名称(API_GATEWAY_NAME),以及我需要假设的IAM角色的Cloudformation名称(API_ROLE_NAME)。
我可以通过
进入我的Cloudformation堆栈cf_client = boto3.client('cloudformation')
api_role_resource = cf_client.describe_stack_resource(
StackName=CF_STACK_NAME,
LogicalResourceId=API_ROLE_NAME
)
api_resource = cf_client.describe_stack_resource(
StackName=CF_STACK_NAME,
LogicalResourceId=API_GATEWAY_NAME
)
从阅读Switching to an IAM Role开始,我看到了如何获取角色的密钥,
sts_client = boto3.client('sts')
credentials = sts_client.assume_role(
RoleArn='arn:aws:iam::{account_id}:role/{role_name}'.format(
account_id=sts_client.get_caller_identity().get('Account'),
role_name=api_role_resource['PhysicalResourceId']
),
RoleSessionName="AssumeRoleSession1"
)['Credentials']
但是当我想调用API网址时,
apigateway_client = boto3.client('apigateway')
restapi_id = apigateway_client.get_rest_api(restApiId=api_logical_id)['id']
url = f'https://{restapi_id}.execute-api.{region}.amazonaws.com/{stage}/{api_query}
api_output = requests.get(url).json()
我明白了,
An error occurred (AccessDeniedException) when calling the GetRestApi operation: User: arn:aws:iam::0123456789:user/my-user is not authorized to perform: apigateway:GET on resource: arn:aws:apigateway:us-west-2::/restapis/ServerlessRestApi
如何使用此CloudFormation信息进行API调用?
答案 0 :(得分:1)
我的猜测是你没有使用STS的新凭据。
您需要使用以下代码使用新凭据创建apigateway客户端:
["222"]