IAM 角色的 boto 问题 [英] boto issue with IAM role

问题描述

我正在尝试使用 AWS 最近宣布的EC2 的 IAM 角色"功能，该功能可让安全凭证自动传送到 EC2 实例.(请参阅 http://aws.amazon.com/about-aws/whats-new/2012/06/11/Announcing-IAM-Roles-for-EC2-instances/).

我已经按照描述设置了一个具有 IAM 角色的实例.我还可以通过 curl 获得(看似)正确的访问密钥/凭据.

然而，boto 无法执行像get_all_buckets"这样的简单调用，即使我已经为该角色打开了所有 S3 权限.

我收到的错误是我们的记录中不存在您提供的 AWS 访问密钥 ID"

但是，错误中列出的访问密钥与我从 curl 获得的密钥相匹配.

以下是失败的脚本，在附加了 IAM 角色的 EC2 实例上运行，该角色授予所有 S3 权限:

导入 urllib2进口AST从 boto.s3.connection 导入 S3Connectionresp=urllib2.urlopen('http://169.254.169.254/latest/meta-data/iam/security-credentials/DatabaseApp').read()resp=ast.literal_eval(resp)打印访问:"+ resp['AccessKeyId']打印秘密:"+ resp['SecretAccessKey']conn = S3Connection(resp['AccessKeyId'], resp['SecretAccessKey'])rs= conn.get_all_buckets()

解决方案

如果您使用的是 boto 2.5.1 或更高版本，它实际上比这要容易得多.只要在环境变量或 boto 配置文件中未找到其他凭据，Boto 就会自动为您在实例元数据中查找凭据并使用它们.因此，您应该能够在 EC2 实例上简单地执行此操作:

<预><代码>>>>进口博托>>>c = boto.connect_s3()>>>rs = c.get_all_buckets()

您的手动方法失败的原因是与 IAM 角色关联的凭证是一个临时会话凭证，由一个 access_key、一个 secret_key 和一个 security_token 并且您需要将所有三个值提供给 S3Connection 构造函数.

I'm trying to use AWS' recently announced "IAM roles for EC2" feature, which lets security credentials automatically get delivered to EC2 instances. (see http://aws.amazon.com/about-aws/whats-new/2012/06/11/Announcing-IAM-Roles-for-EC2-instances/).

I've set up an instance with an IAM role as described. I can also get (seemingly) proper access key / credentials with curl.

However, boto fails to do a simple call like "get_all_buckets", even though I've turned on ALL S3 permissions for the role.

The error I get is "The AWS Access Key Id you provided does not exist in our records"

However, the access key listed in the error matches the one I get from curl.

Here is the failing script, run on an EC2 instance with an IAM role attached that gives all S3 permissions:

import urllib2
import ast
from boto.s3.connection import S3Connection

resp=urllib2.urlopen('http://169.254.169.254/latest/meta-data/iam/security-credentials/DatabaseApp').read()
resp=ast.literal_eval(resp)
print "access:" + resp['AccessKeyId']
print "secret:" + resp['SecretAccessKey']
conn = S3Connection(resp['AccessKeyId'], resp['SecretAccessKey'])
rs= conn.get_all_buckets()

解决方案

If you are using boto 2.5.1 or later it's actually much easier than this. Boto will automatically find the credentials in the instance metadata for you and use them as long as no other credentials are found in environment variables or in a boto config file. So, you should be able to simply do this on the EC2 instance:

>>> import boto
>>> c = boto.connect_s3()
>>> rs = c.get_all_buckets()

The reason that your manual approach is failing is that the credentials associated with the IAM Role is a temporary session credential and consists of an access_key, a secret_key and a security_token and you need to supply all three of those values to the S3Connection constructor.

这篇关于IAM 角色的 boto 问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！