More than 3 years have passed since last update.

ssm inventory を aws lambda / python3.8 でたたいてみた。

Last updated at 2021-05-18Posted at 2021-05-18

素人が自分のノートとして書いてますが、改善点あれば是非コメントください

###まず AWS CLI でコマンドを確認
InstanceID とインベントリタイプの指定が必要。

aws-cli

aws ssm list-inventory-entries --instance-id i-xxxxxxxxxxxx --type-name AWS:Application

今回リストしたかったのは PV Driver。確認出来た。

awscli出力(一部抽出)

{
    "TypeName": "AWS:Application",
    "InstanceId": "i-xxxxxxxxxxxxxxx",
    "SchemaVersion": "1.1",
    "CaptureTime": "2021-05-17T10:44:06Z",
    "Entries": [
        {
            "Architecture": "x86_64",
            "InstalledTime": "2020-09-09T00:00:00Z",
            "Name": "AWS PV Drivers",
            "PackageId": "{90C09D7C-18EB-4853-9F4F-D3040CC23924}",
            "Publisher": "Amazon Web Services",
            "Version": "8.3.4"
        }
    ]
}

lambda / python3.8 で同等の情報を抽出してみる

aws-lambda/python3.8

import json
import boto3

def lambda_handler(event, context):

    ssmclient = boto3.client('ssm')
    
    response = ssmclient.list_inventory_entries(
        InstanceId ='i-xxxxxxxxxxxx',
        TypeName ='AWS:Application'
        )
    
    print("inventory=", response)

権限エラーとのこと。

権限エラー

Response
{
  "errorMessage": "An error occurred (AccessDeniedException) when calling the ListInventoryEntries operation: User: arn:aws:sts::xxxxxxxxxxxx:assumed-role/pvdriver-listing-role-8pgwts5t/pvdriver-listing is not authorized to perform: ssm:ListInventoryEntries on resource: arn:aws:ec2:ap-northeast-1:xxxxxxxxxxxx:instance/i-xxxxxxxxxxxx",
  "errorType": "ClientError",
  "stackTrace": [
    "  File \"/var/task/lambda_function.py\", line 8, in lambda_handler\n    response = ssmclient.list_inventory_entries(\n",
    "  File \"/var/runtime/botocore/client.py\", line 357, in _api_call\n    return self._make_api_call(operation_name, kwargs)\n",
    "  File \"/var/runtime/botocore/client.py\", line 676, in _make_api_call\n    raise error_class(parsed_response, operation_name)\n"
  ]
}

対象のLambda関数に付与されたIAMロールに AmazonSSMReadOnlyAccess を追加する。
Lambda > 関数 > 対象Lambda関数 > 設定タブ > アクセス権限 > 実行ロール > 【対象ロール】> IAM設定画面に遷移 > 【ポリシーをアタッチします】> AmazonSSMReadOnlyAccess を選択 > 【ポリシーのアタッチ】

出力

inventory= {'TypeName': 'AWS:Application', 'InstanceId': 'i-xxxxxxxxxxxx', 'SchemaVersion': '1.1', 'CaptureTime': '2021-05-17T11:14:44Z', 'Entries': [{'Architecture': 'x86_64', 'InstalledTime': '2020-09-09T00:00:00Z', 'Name': 'AWS PV Drivers', 'PackageId': '{90C09D7C-18EB-4853-9F4F-D3040CC23924}', 'Publisher': 'Amazon Web Services', 'Version': '8.3.4'}], 'ResponseMetadata': {'RequestId': '4f6eed77-16bd-4b8b-9212-xxxxxxxxxxxx', 'HTTPStatusCode': 200, 'HTTPHeaders': {'server': 'Server', 'date': 'Mon, 17 May 2021 11:21:42 GMT', 'content-type': 'application/x-amz-json-1.1', 'content-length': '1558', 'connection': 'keep-alive', 'x-amzn-requestid': '4f6eed77-16bd-4b8b-9212-xxxxxxxxxxxx'}, 'RetryAttempts': 0}}

無事出力できました。

You get articles that match your needs
You can efficiently read back useful information
You can use dark theme

What you can do with signing up