I am trying to create a security group in AWS using boto3, in which the source of the traffic is comming from an existing security group. This is how I am doing it:
res = client.authorize_security_group_ingress(
GroupId=sg_id, <---- sg I want to modify
IpPermissions=[{
'IpProtocol': 'tcp',
'FromPort': 80,
'ToPort': 80,
'IpRanges': [{'CidrIp': 'sg-xxxxxxx'] <--- sg I want to be the source
}]
)
But I am getting:
An error occurred (InvalidParameterValue) when calling the AuthorizeSecurityGroupIngress operation: CIDR block sg-0ae9ec592f6d43219 is malformed
which to be honest is kind of obvious, because the field in IpRanges is CidrIp, and not something like groupId, which is what I was expecting to write.
But according to the documentation:
CidrIp (string) -- The IPv4 CIDR range. You can either specify a CIDR range or a source security group, not both. To specify a single IPv4 address, use the /32 prefix length.
It doesn't really say "source security group id", I just assumed it would be the id. I tried the name and it also does not work (specifying the name will try to look a SG with the name in the default VPC)
Have to use UserIdGroupPairs option instead of IpRanges:
'UserIdGroupPairs': [
{
'Description': 'string',
'GroupId': 'string',
'GroupName': 'string',
'PeeringStatus': 'string',
'UserId': 'string',
'VpcId': 'string',
'VpcPeeringConnectionId': 'string'
},
Which is:
UserIdGroupPairs (list) --
The security group and AWS account ID pairs.
(dict) --
Describes a security group and AWS account ID pair.
Description (string) --
A description for the security group rule that references this user ID group pair.
Constraints: Up to 255 characters in length. Allowed characters are a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=;{}!$*
GroupId (string) --
The ID of the security group.
GroupName (string) --
The name of the security group. In a request, use this parameter for a security group in EC2-Classic or a default VPC only. For a security group in a nondefault VPC, use the security group ID.
For a referenced security group in another VPC, this value is not returned if the referenced security group is deleted.
PeeringStatus (string) --
The status of a VPC peering connection, if applicable.
UserId (string) --
The ID of an AWS account.
For a referenced security group in another VPC, the account ID of the referenced security group is returned in the response. If the referenced security group is deleted, this value is not returned.
[EC2-Classic] Required when adding or removing rules that reference a security group in another AWS account.
VpcId (string) --
The ID of the VPC for the referenced security group, if applicable.
VpcPeeringConnectionId (string) --
The ID of the VPC peering connection, if applicable.