请求中包含的安全令牌已过期
[英]The security token included in the request is expired
问题描述
I have a script that pulls a lot of metrics from Cloudwatch for our own internal reports.
我有一个脚本可以从 Cloudwatch 中提取大量指标用于我们自己的内部报告。
The script iterates all of the EC2 instances in a specific region and ask for 5 cloudwatch metrics (all the statistics available) for the past 2 weeks (each time 5 days back in 5 minutes interval which is exactly the 1440 quota).该脚本迭代特定区域中的所有 EC2 实例,并询问过去 2 周的 5 个 cloudwatch 指标(所有可用的统计数据)(每次 5 天以 5 分钟为间隔返回,正好是 1440 配额)。 I'm using an assumed session:我正在使用假设的 session:
session = Session(aws_access_key_id=AWS_ACCESS_KEY_ID, aws_secret_access_key=AWS_SECRET_ACCESS_KEY, region_name=regionName)
sts = session.client('sts')
response = sts.assume_role(
RoleArn=arn, # External role arn
RoleSessionName='role-name',
ExternalId='<some-id-here>',
)
tempAccessKeyId = response['Credentials']['AccessKeyId']
tempSecretAccessKey = response['Credentials']['SecretAccessKey']
tempSessionToken = response['Credentials']['SessionToken']
assumedSession = Session(
aws_access_key_id=tempAccessKeyId,
aws_secret_access_key=tempSecretAccessKey,
aws_session_token=tempSessionToken,
region_name=regionName)
While running the script I got this exception:在运行脚本时我得到了这个异常:
botocore.exceptions.ClientError: An error occurred (ExpiredToken) when calling the GetMetricStatistics operation: The security token included in the request is expired
Is there a way to make sure the token doesn't expire while running the script?有没有办法确保令牌在运行脚本时不会过期? I'm using boto3.我正在使用 boto3。
5 个解决方案
解决方案1
16 已采纳 2016-02-29 09:09:10
The assume_role method you are using returns temporary security credentials.您正在使用的 ask_role 方法返回临时安全凭证。 The following is taken from the official documentation :以下内容摘自官方文档:
The temporary security credentials are valid for the duration that you specified when calling AssumeRole , which can be from 900 seconds (15 minutes) to 3600 seconds (1 hour).
Since you are not using the DurationSeconds keyword argument, the returned credentials are valid for the default 1 hour.由于您没有使用DurationSeconds关键字参数,因此返回的凭据在默认 1 小时内有效。 You must make sure to get new credentials in order to make requests after 1 hour.您必须确保获得新凭据才能在 1 小时后提出请求。 See the following from the Temporary Security Credentials official documentation :请参阅Temporary Security Credentials 官方文档中的以下内容:
When (or even before) the temporary security credentials expire, the user can request new credentials, as long as the user requesting them still has permissions to do so.
解决方案2
2 2022-04-26 16:36:22
Instance time sync issue can also cause this which blocks IAM token refresh, I had tried all the solutions but nothing worked and finally found that its the time difference with instance and AWS services.实例时间同步问题也可能导致阻止 IAM 令牌刷新,我尝试了所有解决方案但没有任何效果,最后发现它与实例和 AWS 服务的时间差。 Installing chrony can help in automatic time sync.安装 chrony 有助于自动时间同步。
解决方案3
1 2020-06-18 13:35:29
I found AWS Premium Support answer for the issue very concise and relevant我发现AWS Premium Support对这个问题的回答非常简洁且相关
Also important to note that error sometimes comes up when server time is drifted from the correct time (10-15 minutes will cause the error)同样重要的是要注意,当服务器时间偏离正确时间时,有时会出现错误(10-15 分钟会导致错误)
解决方案4
1 2021-07-23 16:52:18
In my case the issue was that, I had credentials in my .aws/configure and was trying to configure from that but what I didn't realize is I had another pair of credentials AWS_SESSION_TOKEN AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY set in environmental variables.就我而言,问题是,我的.aws/configure有凭证,并试图从中进行配置,但我没有意识到我在环境变量中设置了另一对凭证AWS_SESSION_TOKEN AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY 。
you can do this ( which will remove credentials from environment ).您可以执行此操作(这将从环境中删除凭据)。
unset AWS_SESSION_TOKEN AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY
Now you will have only one set of access keys ie in .aws/configure and I was able to make connection sucessfully.现在您将只有一组访问密钥,即在.aws/configure并且我能够成功建立连接。
aws configure
aws sts get-caller-identity
if you are using profile other than default, use --profile flag in the above command.如果您使用的不是默认配置文件, --profile在上述命令中使用--profile标志。
解决方案5
-1 2020-10-12 10:13:55
I also face this error and even I checked my .aws/credential file.我也面临这个错误,甚至我检查了我的.aws/credential文件。 It contains credentials but still I will recommend following step:它包含凭据,但我仍然建议执行以下步骤:
before doing anything, first thing you must do run following command在做任何事情之前,你必须首先运行以下命令
aws sts get-caller-identity
if you have more than one profile in aws credential then use this one如果您在 aws 凭证中有多个配置文件,请使用此配置文件
you can check your profile in following file .aws/credential .您可以在以下文件.aws/credential检查您的个人资料。 If you have only [default] then no need to mention profile如果您只有[default]则无需提及个人资料
aws --profile NAME_OF_YOUR_PROFILE sts get-caller-identity
Now the question is that above command will solve the problem?现在的问题是,上面的命令可以解决问题吗?
No, But at least it will let you know that your credential are correct or not.不,但至少它会让您知道您的凭据是否正确。 I was facing same error and when I run above command it give me following error我遇到了同样的错误,当我运行上面的命令时,它给了我以下错误
An error occurred (SignatureDoesNotMatch) when calling the GetCallerIdentity operation: The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.
So at least I find out that I was using wrong credential.所以至少我发现我使用了错误的凭据。 I just replace credential and my problem get solved.我只是更换凭证,我的问题就解决了。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.