cloudaux

Cloud Auxiliary是一个用于与云服务提供商交互的Python封装和编排模块。

注意：我们支持什么？

CloudAux最初是为了提供便利的封装，以便在处理云基础设施时（如角色假设和多区域）使用常见模式。它还包含一些便利函数，可以用来使用封装获取整个资源的完整配置详情。

然而，随着时间的推移，我们已停止依赖资源配置封装功能，而是仅支持AWS便利装饰器，如sts_conn和paginated等。如果您想使用CloudAux，只需将您的boto调用包裹在一个应用了装饰器的函数中即可。

注意：Python 2弃用

自版本1.9.0起已弃用Python 2支持。对于仍需要Python 2支持的项目，请使用最新的1.8.x构建。

文档

• CloudAux [此文件]
• AWS
• GCP
• OpenStack

功能

AWS

• 智能连接缓存。
• 处理某些客户端方法的分页。
• 速率限制处理，使用指数退避。
• 多账号sts:角色抽象。
• 协调所有必要的调用，以全面描述一个项目。
• 使用标志控制返回哪些属性。

GCP

• 根据服务选择最佳客户端。
• 客户端缓存。
• 提供通用缓存和统计装饰器。
• 对未指定发现-API服务的支持。
• 使用标志控制返回哪些属性。

OpenStack

• 智能连接缓存。
• 通用OpenStack SDK生成器使用。
• 协调所有必要的调用，以全面描述一个项目。
• 控制返回的属性标志。

支持的编排技术

AWS

• IAM角色
• IAM用户
• IAM SAML提供商
• S3
• ELB（v1）
• ELBv2（ALB）
• Lambda函数
• Glacier
• EC2镜像
• Cloudwatch事件
• SQS

GCP：（已弃用 - 不再受支持）

• IAM服务帐户
• 网络/子网络
• 存储桶

OpenStack：（已弃用 - 不再受支持）

• 网络/子网
• 浮动IP/路由器/端口
• 用户
• 实例/镜像
• 负载均衡器
• 对象存储容器

安装

pip install cloudaux

要支持GCP运行

pip install cloudaux\[gcp\]

要支持OpenStack运行

pip install cloudaux\[openstack\]

示例

AWS示例

# Using wrapper methods:
from cloudaux.aws.sqs import get_queue, get_messages
conn_details = {
    'account_number': '111111111111',
    'assume_role': 'MyRole',
    'session_name': 'MySession',
    'region': 'us-east-1'
}
queue = get_queue(queue_name='MyQueue', **conn_details)
messages = get_messages(queue=queue)


# Using the CloudAux class
from cloudaux import CloudAux
CloudAux.go('kms.client.list_aliases', **conn_details)

ca = CloudAux(**conn_details)
ca.call('kms.client.list_aliases')


# directly asking for a boto3 connection:
from cloudaux.aws.sts import boto3_cached_conn
conn = boto3_cached_conn('ec2', **conn_details)


# Over your entire environment:
from cloudaux.decorators import iter_account_region

accounts = ['000000000000', '111111111111']

conn_details = {
    'assume_role': 'MyRole',
    'session_name': 'MySession',
    'conn_type': 'boto3'
}

@iter_account_region('kms', accounts=accounts, regions=['us-east-1'], **conn_details)
def list_keys(conn=None):
    return conn.list_keys()['Keys']

# If you want your role to be read-only, you can assume your role and add the read_only flag to connection details
# to inherit the AWS ReadOnlyAccess policy. This flag defaults to False
# The permissions from the role being assumed will be limited to Read and List only
conn_details = {
    'account_number': '111111111111',
    'assume_role': 'MyRole',
    'session_name': 'MySession',
    'region': 'us-east-1',
    'read_only': True
}

GCP示例 -- 已弃用 - 不再受支持

# directly asking for a client:
from cloudaux.aws.gcp.auth import get_client
client = get_client('gce', **conn_details)

# Over your entire environment:
from cloudaux.gcp.decorators import iter_project

projects = ['my-project-one', 'my-project-two']

# To specify per-project key_files, you can do thie following:
# projects = [
#  {'project': 'my-project-one', key_file='/path/to/project-one.json'},
#  {'project': 'my-project-two', key_file='/path/to/project-two.json'}
# ]
#
# To specify a single key_file for all projects, use the key_file argument
# to the decorator
# @iter_project(projects=projects, key_file='/path/to/key.json')
#
# To use default credentials, omit the key_file argument
# @iter_project(projects=projects)

from cloudaux.gcp.iam import list_serviceaccounts
from cloudaux.orchestration.gcp.iam.serviceaccount import get_serviceaccount_complete

@iter_project(projects=projects, key_file='/path/to/key.json')
def test_iter(**kwargs):
   accounts = list_serviceaccounts(**kwargs)
   ret = []
   for account in accounts:
     ret.append(get_serviceaccount_complete(service_account=account['name']))
   return ret

OpenStack示例 -- 已弃用 - 不再受支持

from cloudaux.openstack.decorators import _connect
conn = _connect(cloud_name, region, yaml_file):

# Over your entire environment:
from cloudaux.openstack.decorators import iter_account_region, get_regions

@iter_account_region(account_regions=get_regions())
def list_networks(conn=None, service='network', generator='security_groups'):
    from cloudaux.openstack.utils import list_items
    list_items(**kwargs)

编排示例 -- 已弃用 - 请不要再使用这些

AWS IAM角色

from cloudaux.orchestration.aws.iam.role import get_role, FLAGS

# account_number may be extracted from the ARN of the role passed to get_role
# if not included in conn.
conn = dict(
    assume_role='SecurityMonkey',  # or whichever role you wish to assume into
    session_name='cloudaux',
    region='us-east-1'
)

role = get_role(
    dict(arn='arn:aws:iam::000000000000:role/myRole', role_name='myRole'),
    output='camelized',  # optional: {camelized underscored}
    flags=FLAGS.ALL,  # optional
    **conn)

# The flags parameter is optional but allows the user to indicate that
# only a subset of the full item description is required.
# IAM Role Flag Options:
#   BASE, MANAGED_POLICIES, INLINE_POLICIES, INSTANCE_PROFILES, TAGS, ALL (default)
# For instance: flags=FLAGS.MANAGED_POLICIES | FLAGS.INSTANCE_PROFILES

# cloudaux makes a number of calls to obtain a full description of the role
print(json.dumps(role, indent=4, sort_keys=True))

{
    "Arn": ...,
    "AssumeRolePolicyDocument": ...,
    "CreateDate": ...,  # str
    "InlinePolicies": ...,
    "InstanceProfiles": ...,
    "ManagedPolicies": ...,
    "Path": ...,
    "RoleId": ...,
    "RoleName": ...,
    "Tags": {},
    "_version": 3    # Orchestration results return a _Version
}

GCP IAM服务帐户 -- 已弃用 - 请不要再使用这些

from cloudaux.orchestration.gcp.iam.serviceaccount import get_serviceaccount_complete, FLAGS
sa_name = 'projects/my-project-one/serviceAccounts/service-account-key@my-project-one.iam.gserviceaccount.com'
sa = get_serviceaccount_complete(sa_name, flags=FLAGS.ALL, **conn_details)
print(json.dumps(sa, indent=4, sort_keys=True))

# Flag options for Service Accounts are BASE, KEYS, POLICY, ALL (default).

{
  "DisplayName": "service-account",
  "Email": "service-account@my-project-one.iam.gserviceaccount.com",
  "Etag": "BwUzTDvWgHw=",
  "Keys": [
      {
          "KeyAlgorithm": "KEY_ALG_RSA_2048",
          "Name": "projects/my-project-one/serviceAccounts/service-account@my-project-one.iam.gserviceaccount.com/keys/8be0096886f6ed5cf51abb463d3448c8aee6c6b6",
          "ValidAfterTime": "2016-06-30T18:26:45Z",
          "ValidBeforeTime": "2026-06-28T18:26:45Z"
      },
  ...
  ],
  "Name": "projects/my-project-one/serviceAccounts/service-account@my-project-one.iam.gserviceaccount.com",
  "Oauth2ClientId": "115386704809902483492",
  "Policy": [
      {
          "Members": [
              "user:test-user@gmail.com"
          ],
          "Role": "roles/iam.serviceAccountActor"
      }
  ],
  "ProjectId": "my-project-one",
  "UniqueId": "115386704809902483492"
}

OpenStack安全组 - 已弃用 - 请不要再使用这些

from cloudaux.orchestration.openstack.security_group import get_security_group, FLAGS

secgroup = get_security_group(result, flags=flags, **kwargs)

# The flags parameter is optional but allows the user to indicate that
# only a subset of the full item description is required.
# Security Group Flag Options:
#   RULES, INSTANCES (default)
# For instance: flags=FLAGS.RULES | FLAGS.INSTANCES

print(json.dumps(secgroup, indent=4, sort_keys=True))

{
    "assigned_to": [
        {
           "instance_id": "..."
        }
    ],
    "created_at": "...",
    "description": "...",
    "id": "...",
    "location": "...",
    "name": "...",
    "project_id": "...",
    "revision_number": 3,
    "rules": [
        {
            "rule_type": "...",
            "remote_group_id": "...",
            "from_port": "...",
            "description": "...",
            "tags": [],
            "to_port": "...",
            "ethertype": "...",
            "created_at": "...",
            "updated_at": "...",
            "security_group_id": "...",
            "revision_number": 0,
            "tenant_id": "...",
            "project_id": "..."",
            "id": "...",
            "cidr_ip": "...",
            "ip_protocol": "..."
        },
    ],
    "updated_at": "..."
}