Boto3:动态获取凭据? [英] Boto3: get credentials dynamically?

问题描述

我正在努力寻找如何从代码中动态获取aws_access_key_id和aws_secret_access_key的方法.

I am struggling to find out how I can get my aws_access_key_id and aws_secret_access_key dynamically from my code.

在boto2中，我可以执行以下操作:boto.config.get_value('Credentials', 'aws_secret_access_key')，但似乎在boto3中找不到类似的方法.如果我查看boto3.Session()._session._credentials，就能够找到密钥，但这似乎是所有黑客之母，我宁愿不走这条路.

In boto2 I could do the following: boto.config.get_value('Credentials', 'aws_secret_access_key') but I can't seem to find a similar method in boto3. I was able to find the keys if I look in boto3.Session()._session._credentials but that seems like the mother of all hacks to me and I would rather not go down that road.

推荐答案

通常，最佳做法是仅 STS.get_session_token .

It's generally a best practice to only use temporary credentials. You can get temporary credentials with STS.get_session_token.

从此PR 开始，您可以像这样访问当前会话凭据:

As of this PR, you can access the current session credentials like so:

import boto3

session = boto3.Session()
credentials = session.get_credentials()

# Credentials are refreshable, so accessing your access key / secret key
# separately can lead to a race condition. Use this to get an actual matched
# set.
credentials = credentials.get_frozen_credentials()
access_key = credentials.access_key
secret_key = credentials.secret_key

redshift = session.client('redshift')
...

我仍然建议使用范围完全符合redshift需求的临时凭证.

I would still recommend using temporary credentials scoped to exactly what redshift needs.

这篇关于Boto3:动态获取凭据?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！