boto问题与IAM角色
[英]boto issue with IAM role
问题描述
I'm trying to use AWS' recently announced "IAM roles for EC2" feature, which lets security credentials automatically get delivered to EC2 instances. 
我正在尝试使用AWS最近宣布的“针对EC2的IAM角色”功能,该功能可以自动将安全凭证传递给EC2实例。 (see http://aws.amazon.com/about-aws/whats-new/2012/06/11/Announcing-IAM-Roles-for-EC2-instances/ ). (见http://aws.amazon.com/about-aws/whats-new/2012/06/11/Announcing-IAM-Roles-for-EC2-instances/ )。
I've set up an instance with an IAM role as described. 我已经设置了一个具有IAM角色的实例,如上所述。 I can also get (seemingly) proper access key / credentials with curl. 我也可以通过curl获得(看似)正确的访问密钥/凭证。
However, boto fails to do a simple call like "get_all_buckets", even though I've turned on ALL S3 permissions for the role. 但是,即使我为角色启用了所有S3权限,boto也无法像“get_all_buckets”那样进行简单的调用。
The error I get is "The AWS Access Key Id you provided does not exist in our records" 我得到的错误是“您提供的AWS访问密钥ID在我们的记录中不存在”
However, the access key listed in the error matches the one I get from curl. 但是,错误中列出的访问键与我从curl获得的访问键匹配。
Here is the failing script, run on an EC2 instance with an IAM role attached that gives all S3 permissions: 以下是失败的脚本,在附加了IAM角色的EC2实例上运行,该角色提供所有S3权限:
import urllib2
import ast
from boto.s3.connection import S3Connection
resp=urllib2.urlopen('http://169.254.169.254/latest/meta-data/iam/security-credentials/DatabaseApp').read()
resp=ast.literal_eval(resp)
print "access:" + resp['AccessKeyId']
print "secret:" + resp['SecretAccessKey']
conn = S3Connection(resp['AccessKeyId'], resp['SecretAccessKey'])
rs= conn.get_all_buckets()
2 个解决方案
解决方案1
61 已采纳 2012-06-21 02:17:28
If you are using boto 2.5.1 or later it's actually much easier than this. 如果您使用的是boto 2.5.1或更高版本,它实际上要比这更容易。 Boto will automatically find the credentials in the instance metadata for you and use them as long as no other credentials are found in environment variables or in a boto config file. 只要在环境变量或boto配置文件中找不到其他凭据,Boto就会自动为您找到实例元数据中的凭据并使用它们。 So, you should be able to simply do this on the EC2 instance: 所以,您应该能够在EC2实例上执行此操作:
>>> import boto
>>> c = boto.connect_s3()
>>> rs = c.get_all_buckets()
The reason that your manual approach is failing is that the credentials associated with the IAM Role is a temporary session credential and consists of an access_key , a secret_key and a security_token and you need to supply all three of those values to the S3Connection constructor. 手动方法失败的原因是与IAM角色关联的凭据是临时会话凭证,由access_key , secret_key和security_token ,您需要将所有这三个值提供给S3Connection构造函数。
解决方案2
5 2015-06-27 22:28:39
I don't know if this answer will help anyone but I was getting the same error, I had to solve my problem a little differently. 我不知道这个答案是否会对任何人有所帮助,但我得到同样的错误,我必须以不同的方式解决我的问题。 First, my amazon instance did not have any IAM roles. 首先,我的亚马逊实例没有任何IAM角色。 I thought I could just use the access key and the secret key but I kept getting this error with only those two keys. 我以为我可以使用访问密钥和密钥,但我只用这两个密钥不断收到此错误。 I read I needed a security token as well, but I didn't have one because I didn't have any IAM roles. 我读过我也需要一个安全令牌,但我没有,因为我没有任何IAM角色。 This is what I did to correct the issue: 这是我为纠正这个问题所做的:
- Create an IAM role with AmazonS3FullAccess permissions. 使用AmazonS3FullAccess权限创建IAM角色。
- Start a new instance and attach my newly created role. 启动一个新实例并附加我新创建的角色。
Even after doing this it still didn't work.
即使这样做之后仍然无效。 I had to also connect to the proper region with the code below: 我还必须使用以下代码连接到适当的区域: import boto.s3.connection
import boto.s3.connection
conn = boto.s3.connect_to_region('your-region')conn = boto.s3.connect_to_region('your-region')
conn.get_all_buckets()conn.get_all_buckets()
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.