python - 如何在 boto3 中创建源为 sg 的入口规则

Question

我正在尝试使用 boto3 在 AWS 中创建一个安全组，其中流量源来自现有安全组。 我就是这样做的:

res = client.authorize_security_group_ingress(
    GroupId=sg_id,          <---- sg I want to modify
    IpPermissions=[{
        'IpProtocol': 'tcp',
        'FromPort': 80,
        'ToPort': 80,
        'IpRanges': [{'CidrIp': 'sg-xxxxxxx'] <--- sg I want to be the source
    }]
)

但我得到: 调用 AuthorizeSecurityGroupIngress 操作时发生错误 (InvalidParameterValue):CIDR block sg-0ae9ec592f6d43219 格式错误

老实说，这很明显，因为 IpRanges 中的字段是 CidrIp，而不是像 groupId 这样的东西，这是我期望写的。 但是根据documentation :

CidrIp (string) -- The IPv4 CIDR range. You can either specify a CIDR range or a source security group, not both. To specify a single IPv4 address, use the /32 prefix length.

它并没有真正说“源安全组 ID”，我只是假设它是 ID。我尝试了该名称，但它也不起作用(指定名称将尝试在默认 VPC 中查找具有该名称的 SG)

Answer 1

必须使用UserIdGroupPairs选项而不是 IpRanges:

        'UserIdGroupPairs': [
            {
                'Description': 'string',
                'GroupId': 'string',
                'GroupName': 'string',
                'PeeringStatus': 'string',
                'UserId': 'string',
                'VpcId': 'string',
                'VpcPeeringConnectionId': 'string'
            },

这是:

UserIdGroupPairs (list) --

The security group and AWS account ID pairs.

    (dict) --

    Describes a security group and AWS account ID pair.
        Description (string) --

        A description for the security group rule that references this user ID group pair.

        Constraints: Up to 255 characters in length. Allowed characters are a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=;{}!$*
        GroupId (string) --

        The ID of the security group.
        GroupName (string) --

        The name of the security group. In a request, use this parameter for a security group in EC2-Classic or a default VPC only. For a security group in a nondefault VPC, use the security group ID.

        For a referenced security group in another VPC, this value is not returned if the referenced security group is deleted.
        PeeringStatus (string) --

        The status of a VPC peering connection, if applicable.
        UserId (string) --

        The ID of an AWS account.

        For a referenced security group in another VPC, the account ID of the referenced security group is returned in the response. If the referenced security group is deleted, this value is not returned.

        [EC2-Classic] Required when adding or removing rules that reference a security group in another AWS account.
        VpcId (string) --

        The ID of the VPC for the referenced security group, if applicable.
        VpcPeeringConnectionId (string) --

        The ID of the VPC peering connection, if applicable.