[英]Boto3: get credentials dynamically?
I am struggling to find out how I can get my aws_access_key_id and aws_secret_access_key dynamically from my code.我正在努力找出如何从我的代码中动态获取我的 aws_access_key_id 和 aws_secret_access_key 。
In boto2 I could do the following: boto.config.get_value('Credentials', 'aws_secret_access_key')
but I can't seem to find a similar method in boto3.在 boto2 中,我可以执行以下操作:
boto.config.get_value('Credentials', 'aws_secret_access_key')
但我似乎无法在 boto3 中找到类似的方法。 I was able to find the keys if I look in boto3.Session()._session._credentials
but that seems like the mother of all hacks to me and I would rather not go down that road.如果我查看
boto3.Session()._session._credentials
,我就能找到密钥,但这对我来说似乎是所有黑客之母,我宁愿不走那条路的 go。
It's generally a best practice to only use temporary credentials .通常最好的做法是只使用临时凭证。 You can get temporary credentials with
STS.get_session_token
.您可以使用
STS.get_session_token
获取临时凭证。
EDIT: As of this PR , you can access the current session credentials like so:编辑:从这个 PR 开始,您可以像这样访问当前会话凭据:
import boto3
session = boto3.Session()
credentials = session.get_credentials()
# Credentials are refreshable, so accessing your access key / secret key
# separately can lead to a race condition. Use this to get an actual matched
# set.
credentials = credentials.get_frozen_credentials()
access_key = credentials.access_key
secret_key = credentials.secret_key
redshift = session.client('redshift')
...
I would still recommend using temporary credentials scoped to exactly what redshift needs.我仍然建议使用范围完全符合 redshift 需要的临时凭证。
Use botocore使用botocore
>>> import botocore.session
>>> session = botocore.session.get_session()
>>> session.get_credentials().access_key
'AKIAABCDEF6RWSGI234Q'
>>> session.get_credentials().secret_key
'abcdefghijkl+123456789+qbcd'
>>> session.get_config_variable('region')
'us-east-1'
Can I suggest that accessing the keys is WRONG using boto3 :我可以建议使用boto3访问密钥是错误的吗:
import boto3
session = boto3.Session(profile_name="my-profile")
dynamodb = session.resource(
"dynamodb",
region_name=session.region_name,
# aws_access_key_id=session.get_credentials().access_key,
# aws_secret_access_key=session.get_credentials().secret_key,
)
Notice, I commented out accessing the keys because 1 :请注意,我注释掉了访问密钥,因为1 :
Any clients created from this session will use credentials from the
[my-profile]
section of~/.aws/credentials
.从此会话创建的任何客户端都将使用
~/.aws/credentials
的[my-profile]
部分中的~/.aws/credentials
。
import boto3
from botocore import session
def get_credentials():
credentials = boto3.client(
'sts',
region_name="us-east-1",
aws_access_key_id='123',
aws_secret_access_key='123',
).assume_role(
RoleArn="arn:aws-cn:iam::123", # Your RoleArn
RoleSessionName='boto3_client')
return credentials
def db_conn():
credentials = get_credentials()
db = boto3.resource(
'dynamodb',
region_name="us-east-1",
aws_access_key_id=credentials['Credentials']['AccessKeyId'],
aws_secret_access_key=credentials['Credentials']['SecretAccessKey'],
aws_session_token=credentials['Credentials']['SessionToken'],
)
# table = db.Table(your_table_name)
# response = table.query(
# IndexName='age',
# KeyConditionExpression=Key('age').eq(11)
# )
if __name__ == "__main__":
db_conn()
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.