Cannot revoke_ingress for non-default VPC with boto3

问题

AWS Lambda / python 2.7 / boto3

I'm trying to revoke one rule out of many in a security group (SG_we_are_working_with) but receive error

An error occurred (InvalidGroup.NotFound) when calling the RevokeSecurityGroupIngress operation: The security group 'sg-xxxxx' does not exist in default VPC 'none'

The SG is really not in the default VPC but custom one, but I mention VPC id explicitly!

SG_we_are_working_with = 'sg-xxxxx'
SG_which_is_the_source_of_the_traffic = 'sg-11111111'
VpcId = 'vpc-2222222'

#first I load the group to find the necessary rule
ec2 = boto3.resource('ec2')
security_group = ec2.SecurityGroup(SG_we_are_working_with)
security_group.load()   # get current data

# here is loop over rules
for item in security_group.ip_permissions:

here we take the necessary item, it has something like:

{ 
"PrefixListIds": [], 
"FromPort": 6379, 
"IpRanges": [], 
"ToPort": 11211, 
"IpProtocol": "tcp", 
"UserIdGroupPairs": [ { 
    "UserId": "00111111111", 
    "Description": "my descr", 
    "GroupId": "sg-11111111" 
} ], 
"Ipv6Ranges": [] 
}

then:

# now attempt to delete, the necessary data is in 'item' variable:
IpPermissions=[
    {
        'FromPort': item['FromPort'],
        'ToPort': item['ToPort'],
        'IpProtocol': 'tcp',
        'UserIdGroupPairs': [
            {
                'Description': item['UserIdGroupPairs'][0]["Description"],
                'GroupId': item['UserIdGroupPairs'][0]["GroupId"],
                'UserId': item['UserIdGroupPairs'][0]["UserId"],
                'VpcId': str(VpcId)
            },
        ]
    }
]
security_group.revoke_ingress(
    FromPort =  item['FromPort'],
    GroupName = SG_we_are_working_with,
    IpPermissions = IpPermissions,
    IpProtocol = 'tcp',
    SourceSecurityGroupName = SG_which_is_the_source_of_the_traffic,
    ToPort = item['ToPort']
)

The doc I'm using is here

What am I doing wrong?

Thank you.

回答1:

I have found that the easiest way to revoke permissions is to pass-in the permissions already on the security group:

import boto3

# Connect to the Amazon EC2 service
ec2 = boto3.resource('ec2')

# Retrieve the security group
security_groups = ec2.security_groups.filter(GroupNames=['MY-GROUP-NAME'])

# Delete all rules in the group
for group in security_groups:
    group.revoke_ingress(IpPermissions = group.ip_permissions)

回答2:

All code above is correct except the last part, have no idea why it is not explained in the doc.

Solution, using the code from the question:

security_group.revoke_ingress(
    IpPermissions = IpPermissions,
)

So, all that stuff

FromPort =  item['FromPort'],
GroupName = SG_we_are_working_with,
IpProtocol = 'tcp',
SourceSecurityGroupName = SG_which_is_the_source_of_the_traffic,
ToPort = item['ToPort']

was excessive and caused the error.

来源：https://stackoverflow.com/questions/52316455/cannot-revoke-ingress-for-non-default-vpc-with-boto3