Skip to content

How to use it

Jump to bottom
janiko71 edited this page Nov 14, 2024 · 8 revisions

This script is designed to run in any Python environment. Once the AWS user is properly configured, the inventory can be executed as often as needed. Currently, it executes all inventories, which may extend the script's length.

But don't forget to execute the script with appropriate IAM permissions, that means your user has all the rights described in the policy files you need (see below).

$ python ./new_inventory_api.py [--policy-dir policies] [--with-meta] [--with-extra] [--with-empty]

Arguments

  • --policy-dir : Directory containing the IAM policy files (default: policies).
  • --with-meta : Include metadata in the inventory.
  • --with-extra : Include Availability Zones, Regions, and Account Attributes in the inventory.
  • --with-empty : Include empty values in the inventory.

Logs information

A log file is generated and updated throughout the execution process. Remember that the script employs multi-threading, which means the information might not appear in a logical sequence (an API call might not immediately precede the end of the call); instead, information is recorded in the order it occurs chronologically.

AWS IAM permissions and policies

By design, you **should ** only use the minimal rights necessary. The good news is that these rights are derived from the JSON files where the resources and services are described, ensuring they are as minimal as possible. However, there are a few steps you need to take to achieve this:

  1. Run create_policy_files.py: it will create one (or more) JSON file containing the need permissions for the inventory. Due to limitations into AWS console, the legnth of one policy is limited, so if there are many, the file is splitted. By default, the policies files are in the output_policies directory.
  2. Create user-owned policies into the AWS console (one policy for each file).
  3. Attach these policies to the user you will use to run the script.
  4. If needed, configure your AWS environnement where the inventory script will run. Generally, do aws configure to set the access key for the user you will use.

Feature to add

If you have multiple profiles in your AWS CLI configuration file (in [HOME]\.aws\credentials), you can choose which one to use. By default, it's... default. The script will stop in case of non-existent profile.

$ python ./new_inventory_api.py --profile toto

If you want to execute this script within multiple AWS accounts, you should use AWS roles.

How to use

Clone this wiki locally