By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

[boto3] An error occurred (UnrecognizedClientException) when calling the GenerateDataKeyPairWithoutPlaintext operation: The security token included in the request is invalid.

0

Hi all, I am trying to use boto3 to do some KMS operation. I keeping getting an error that my security token is invalid. I've went through various posts I could find and was not able to find any resolution.

Things I have checked so far

  • I am not using any special region. Everything is just in standard us-east-1 nothing fancy.
  • I have created a user that has AdministratorAccess and created security access credentials for this user
  • Have tried putting these into credentials file + supplying through client() constructor

My code snippet

import boto3

aws_access_key_id = "XXX"
aws_secret_access_key = "XXX"

client = boto3.client('sts',
                      aws_access_key_id=aws_access_key_id,
                      aws_secret_access_key=aws_secret_access_key,
                      )
resp = client.get_session_token()

key = resp['Credentials']['AccessKeyId']
secret = resp['Credentials']['SecretAccessKey']
session_token = resp['Credentials']['SessionToken']

client = boto3.client(
    'kms',
    aws_access_key_id="\"" + key + "\"",
    aws_secret_access_key="\"" + secret + "\"",
    aws_session_token="\"" + session_token + "\""
)

response = client.generate_data_key_pair_without_plaintext(
    KeyId='XXX',
    KeyPairSpec='ECC_NIST_P384',
)

My code fails on the last line...

Traceback (most recent call last): File "C:\pathToTestScript.py", line 28, in <module> response = client.generate_data_key_pair_without_plaintext( File "C:\Users\benarnao\AppData\Roaming\Python\Python310\site-packages\botocore\client.py", line 530, in _api_call return self._make_api_call(operation_name, kwargs) File "C:\Users\benarnao\AppData\Roaming\Python\Python310\site-packages\botocore\client.py", line 961, in _make_api_call raise error_class(parsed_response, operation_name) botocore.exceptions.ClientError: An error occurred (UnrecognizedClientException) when calling the GenerateDataKeyPairWithoutPlaintext operation: The security token included in the request is invalid.

I am able to get the session token from STS, and notice this returns a temporary key and secret as well. I have tried the new set of credentials as well the existing credentials + security token with no luck.

For some reason the key and secret require surrounding quotes when supplying through client() constructor, I have tried this with and without for the session token parameter.

Any ideas?

Topics
Security, Identity, & ComplianceManagement & Governance
Tags
AWS Identity and Access ManagementAWS Command Line Interface
Language
English
AWS
rePost-User-3656372
asked a year ago7068 views
1 Answer
0

I think you have to wrap your credentials in a boto3 session object if you are explicitly passing credentials instead of using default Credentials Provider Chain like you mentioned. Can you try creating session object like this first -

session = boto3.session.Session(
    aws_access_key_id=resp['Credentials']['AccessKeyId'],
    aws_secret_access_key=resp['Credentials']['SecretAccessKey'],
    aws_session_token=resp['Credentials']['SessionToken']
)

Then you can create kms client like -

kms = session.client('kms')
Aritro Sen
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content