0

When I try to update egress rule using boto3. I get the following error:

client.authorize_security_group_egress(
  GroupId=group_id,CidrIp="0.0.0.0/0",
  IpProtocol='tcp',
  FromPort=from_port,
  ToPort=to_port)

WARNING:root:Unexpected Error: An error occurred (UnknownParameter) when calling the AuthorizeSecurityGroupEgress operation: The parameter CidrIp is not recognized

But this is working fine on ingress rules.

mootmoot
  • 304
  • 1
  • 6
user37143
  • 171
  • 1
  • 4
  • 14
  • Code please. Otherwise moderator will be happy to mod down this question. – mootmoot May 03 '16 at 13:09
  • Maybe `GroupId` and `CidrIp` params don't go together. If you are authorizing egress to another security group, you are authorizing egress to machines that have certain IPs. So a CidrIp value is contradictory to that first limitation. – salsbury Jun 02 '16 at 20:49

1 Answers1

0

There can be multiple problem here.

Firstly, it only works with EC2-VPC. It doesn't works with EC2-classic http://boto3.readthedocs.io/en/latest/reference/services/ec2.html#EC2.Client.authorize_security_group_egress

[EC2-VPC only] Adds one or more egress rules to a security group for use with a VPC. Specifically, this action permits instances to send traffic to one or more destination CIDR IP address ranges, or to one or more destination security groups for the same VPC. This action doesn't apply to security groups for use in EC2-Classic. For more information, see Security Groups for Your VPC in the Amazon Virtual Private Cloud User Guide .

Secondly, boto3 does contains some documentation error. as mentioned by @Tayler, perhaps you should just omit CidrIp. Honestly, I don't see why you need to create such egress rules, since it is default for all security group.

If you wish to remove all the rules in the group, you need to use revoke_security_group_egress. authorize_security_group_egress cannot "update" rules, it only add rules.

mootmoot
  • 304
  • 1
  • 6