Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

[boto3] An error occurred (UnrecognizedClientException) when calling the GenerateDataKeyPairWithoutPlaintext operation: The security token included in the request is invalid.

0

Hi all, I am trying to use boto3 to do some KMS operation. I keeping getting an error that my security token is invalid. I've went through various posts I could find and was not able to find any resolution.

Things I have checked so far

  • I am not using any special region. Everything is just in standard us-east-1 nothing fancy.
  • I have created a user that has AdministratorAccess and created security access credentials for this user
  • Have tried putting these into credentials file + supplying through client() constructor

My code snippet

import boto3

aws_access_key_id = "XXX"
aws_secret_access_key = "XXX"

client = boto3.client('sts',
                      aws_access_key_id=aws_access_key_id,
                      aws_secret_access_key=aws_secret_access_key,
                      )
resp = client.get_session_token()

key = resp['Credentials']['AccessKeyId']
secret = resp['Credentials']['SecretAccessKey']
session_token = resp['Credentials']['SessionToken']

client = boto3.client(
    'kms',
    aws_access_key_id="\"" + key + "\"",
    aws_secret_access_key="\"" + secret + "\"",
    aws_session_token="\"" + session_token + "\""
)

response = client.generate_data_key_pair_without_plaintext(
    KeyId='XXX',
    KeyPairSpec='ECC_NIST_P384',
)

My code fails on the last line...

Traceback (most recent call last): File "C:\pathToTestScript.py", line 28, in <module> response = client.generate_data_key_pair_without_plaintext( File "C:\Users\benarnao\AppData\Roaming\Python\Python310\site-packages\botocore\client.py", line 530, in _api_call return self._make_api_call(operation_name, kwargs) File "C:\Users\benarnao\AppData\Roaming\Python\Python310\site-packages\botocore\client.py", line 961, in _make_api_call raise error_class(parsed_response, operation_name) botocore.exceptions.ClientError: An error occurred (UnrecognizedClientException) when calling the GenerateDataKeyPairWithoutPlaintext operation: The security token included in the request is invalid.

I am able to get the session token from STS, and notice this returns a temporary key and secret as well. I have tried the new set of credentials as well the existing credentials + security token with no luck.

For some reason the key and secret require surrounding quotes when supplying through client() constructor, I have tried this with and without for the session token parameter.

Any ideas?

Themen
Sicherheit, Identität & KonformitätManagement & Unternehmensführung
Tags
AWS Identity and Access ManagementAWS Befehlszeilenschnittstelle
Sprache
English
AWS
rePost-User-3656372
gefragt vor einem Jahr7243 Aufrufe
1 Antwort
0

I think you have to wrap your credentials in a boto3 session object if you are explicitly passing credentials instead of using default Credentials Provider Chain like you mentioned. Can you try creating session object like this first -

session = boto3.session.Session(
    aws_access_key_id=resp['Credentials']['AccessKeyId'],
    aws_secret_access_key=resp['Credentials']['SecretAccessKey'],
    aws_session_token=resp['Credentials']['SessionToken']
)

Then you can create kms client like -

kms = session.client('kms')
Aritro Sen
beantwortet vor einem Jahr

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt