- 최신
- 최다 투표
- 가장 많은 댓글
Hi,
I ran the following code in my test environment, and it worked fine. It printed out the account number for the access key, and it gave an error when no associated account exists.
import boto3
import json
session = boto3.session.Session(profile_name='saml')
client = boto3.client('sts')
try:
print ('Validating Profile: {0} | AccessKeyId: {1}'.format('saml', session.get_credentials().access_key))
accessKeyId = session.get_credentials().access_key
accKeyChkResp = client.get_access_key_info(AccessKeyId=accessKeyId)
print(json.dumps(accKeyChkResp))
except Exception as e:
print(Fore.LIGHTRED_EX + 'Code: {0} | Profile Name: {1} | Exception: {2!r}'.format(e.response, awsProfileName, e.args))
However, this piece of code does NOT provide the information that you are looking for
This operation does not indicate the state of the access key. The key might be active, inactive, or deleted. Active keys might not have permissions to perform an operation. Providing a deleted access key might return an error that the key doesn't exist.
Also, this is discussed a bit in this stackoverflow post.. Where they discuss that this capability does NOT currently exist and if it did exist, it might be considered a security risk. Also, they discuss work-arounds where you could do a list-buckets() call to see if the Key works.. but that would only be workable if all possible Keys have the list-buckets() permissions.
Link: https://stackoverflow.com/questions/53548737/verify-aws-credentials-with-boto3
it may be a good to have feature, but it may lead to security risks. If a such a method would exist, it may lead to better recon for an adversary, should the adversary find a pair of creds. –
Hope this helps.
-randy
Hi Randy,
Are you using Temporary Access Keys? Can you please check, if keys (starting with ASIA*) received through assume_role_with_saml works.
Thanks,
Indranil
My bad!! While creating the client, I should have referred the session context, rather than boto3.
It should be -
session = boto3.session.Session(profile_name='saml')
client = *session*.client('sts')
Not
session = boto3.session.Session(profile_name='saml')
client = _boto3_.client('sts')
Thanks for your help.
My bad!! While creating the client, I should have referred the session context, rather than boto3.
It should be -
session = boto3.session.Session(profile_name='saml')
client = session.client('sts')
Not
session = boto3.session.Session(profile_name='saml')
client = boto3.client('sts')
Thanks for your help.
관련 콘텐츠
- 질문됨 6달 전