in code/ct_flowlog_activator.py [0:0]
def assume_role(aws_account_number, role_name, external_id):
'''
Assumes the provided role in each account and returns a session object
:param aws_account_number: AWS Account Number
:param role_name: Role to assume in target account
:param aws_region: AWS Region for the Client call
:return: Session object for the specified AWS Account and Region
'''
try:
sts_client = boto3.client('sts')
partition = sts_client.get_caller_identity()['Arn'].split(":")[1]
response = sts_client.assume_role(
RoleArn='arn:{}:iam::{}:role/{}'.format(
partition, aws_account_number, role_name),
RoleSessionName=str(aws_account_number + '-' + role_name),
ExternalId=external_id
)
sts_session = boto3.Session(
aws_access_key_id=response['Credentials']['AccessKeyId'],
aws_secret_access_key=response['Credentials']['SecretAccessKey'],
aws_session_token=response['Credentials']['SessionToken']
)
LOGGER.info("Assumed session for {} - {}.".format(aws_account_number, role_name))
return sts_session
except Exception as e:
LOGGER.error("Could not assume role : {}".format(e), exc_info=True)
raise