[英]Issue connecting to AWS SQS using IAM Role with Boto 2.38
I cannot authenticate to AWS Simple Queue Service (SQS) from an EC2 instance using its associated IAM Role with Boto 2.38 library (and Python 3 ). 我无法使用其与Boto 2.38库(和Python 3 )关联的IAM角色从EC2实例向AWS Simple Queue Service (SQS)进行身份验证。
I couldn't find anything specific on documentation about it, but as far as I could understand from examples and other questions around, it was supposed to work just opening a connection like this. 我找不到关于它的文档的任何具体信息,但是据我从示例和周围的其他问题可以理解的是,它应该可以像这样打开连接。
conn = boto.sqs.connect_to_region('us-east-1')
queue = conn.get_queue('my_queue')
Instead, I get a null object from the connect method, unless I provide credentials on my environment, or explicitly to the method. 取而代之的是,除非从我的环境中或显式地向该方法提供凭据,否则我将从connect方法获得一个空对象。
I'm pretty sure my role is ok, because it works for other services like S3 , describing EC2 tags, sending metrics to CloudWatch , etc, all transparently. 我很确定自己的角色还可以,因为它可以透明地用于S3等其他服务,描述EC2标签,将指标发送到CloudWatch等。 My SQS policy is like this: 我的SQS政策是这样的:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "SQSFullAccess",
"Effect": "Allow",
"Action": [
"sqs:*"
],
"Resource": [
"arn:aws:sqs:us-east-1:<account_id>:<queue_name1>",
"arn:aws:sqs:us-east-1:<account_id>:<queue_name2>"
]
}
]
}
In order to get rid of any suspicion about my policy, I even associated a FullAdmin policy to my role temporarily, without success. 为了消除对我的策略的怀疑,我什至暂时将FullAdmin策略与我的角色相关联,但没有成功。
I also verified that it won't work with AWS CLI as well (which, as far as I know, uses Boto as well). 我还验证了它也不能与AWS CLI一起使用(据我所知,它也使用Boto )。 So, the only conclusion I could come up with is that this is a Boto issue with SQS client. 因此,我唯一能得出的结论是,这是SQS客户端的Boto问题。
Would anyone have a different experience with it? 会有人有不同的经历吗? I know that switching to Boto 3 would probably solve it, but I don't consider doing it right now and if it is really a bug, I think it should be reported on git, anyway. 我知道切换到Boto 3可能会解决它,但是我现在不考虑这样做,如果它确实是个错误,我认为应该在git上进行报告。
Thanks. 谢谢。
Answering myself. 回答我自己。
Boto's 2.38 SQS client does work with IAM Roles. 宝途的2.38 SQS客户端不与IAM角色的工作。 I had a bug in my application. 我的应用程序中有一个错误。
As for AWS CLI, a credential file ( ~/.aws/credentials ) was present in my local account, and being used instead of the instance's role, because the role is the last one to be looked up by the CLI. 对于AWS CLI,我的本地帐户中存在一个凭证文件( 〜/ .aws / credentials ),并且该凭证文件代替了实例的角色,因为该角色是CLI所要查找的最后一个文件。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.