User Avatar

Jake Howering

3y ago

Thoughts on Cybersecurity, Cloud and Networking. Sometimes runner, mediocre tennis player, carpool expert.

Getting your VM Name, IP and FQDN from your AWS Organization Should be Simple!
Jake Howering

Getting your AWS VM Name, IP address and FQDN from your AWS Organization should be simple. But...

AWS has made it ridiculously hard to get a consolidated list of all Virtual Machine Names, IP's and Fully-Qualified Domain Names across your AWS Organization. There is no single command to do it. You must iterate through all accounts individually, making API calls within each account. It can be tricky.

Using Python, I've made it simple. Keep reading to learn how I did it.

Background: The AWS Organization must be setup to allow users to assume roles from the Management Account to the individual Member Accounts. Start here with more information on this.

Program Logic:
1) Input the Management Account ID into the program. We'll use it later

print("******************************************************************")
print("Welcome to the AWS Organization EC2 Name, IP and FQDN Report")
print("To get started, please enter the AWS Organization Main Account ID: ")
orgMainAccountID = input()

2) Get the list of all the accounts in the AWS Organization

orgClient = boto3.client('organizations')
response = orgClient.list_accounts()

3) We'll iterate over all the accounts found in the "response" variable. For each of the accounts, we'll use the AWS Security Token Service (STS) to create temporary tokens to access the Member accounts from the Management account. Except, we won't create a temporary token for the Management account since we are accessing it directly.

for account in response['Accounts']:

4) Using AWS STS, create the token and the session

stsClient = boto3.client('sts')
roleArn = "arn:aws:iam::" + account['Id'] + ":role/OrganizationAccountAccessRole"
stsresponse = stsClient.assume_role(RoleArn=roleArn, RoleSessionName='newsession')
# Save the details from assumed role into vars
newsession_id = stsresponse["Credentials"]["AccessKeyId"]
newsession_key = stsresponse["Credentials"]["SecretAccessKey"]
newsession_token = stsresponse["Credentials"]["SessionToken"]

5) Using the assume_role variables, create an ec2client to get information from our virtual machines and store in the "response" variable

# Use the assumed session vars to create a new boto3 client with the assumed role creds
ec2Client = boto3.client('ec2', 
  region_name=region['RegionName'],
  aws_access_key_id=newsession_id, 
  aws_secret_access_key=newsession_key, 
  aws_session_token=newsession_token)
response = ec2Client.describe_instances()

6) Loop through all responses and get the VM Name, IP, and FDQN.

for reservation in response["Reservations"]:
  for instance in reservation["Instances"]:
    try:
      if instance["State"]["Name"] == "running":
        print("Account Name:",account['Name']+",", "Region: 
        {}, Name: {}, Private IP: {}, Public IP: {}, FQDN: 
        {}".format( region['RegionName'],
        # get instance name from Tag Name
        [tag['Value'] for tag in instance['Tags'] if tag['Key'] == 'Name'][0], instance["PrivateIpAddress"],instance["PublicIpAddress"], instance["PublicDnsName"]))
     except KeyError as missing_key:
     # Used as missing_key for readability purposes only
       print(f"Trying to access a <dict> with a missing key {missing_key}")

7) Back to the Management account ID we input in step 1. The code contains a condition to make sure we don't try to "assume_role" into the Management account, since we are accessing it directly.

A final note. The complete code can be found here. Feel free to improve with better error handling, readability or execution speed.

Made with Typeshare

The all-in-one writing platform.

Write, publish everywhere, see what works, and become a better writer - all in one place.

Trusted by 80,000+ writers