使用 boto3 與數據庫建立連接時無法找到憑據

Question

我想連接到我的數據庫並想檢索數據。 我目前正在使用 AWS amazon linux2 實例。 我用boto3連接。

def db_conn():
    secret_id = 'XXXXXXXXXXXXXXXX'
    try:
        client = boto3.client('secretsmanager',region_name="ap-southeast-2")
        get_secret_value_response = client.get_secret_value(SecretId=secret_id)
    except Exception as e:
        raise e
    else:
        if 'SecretString' in get_secret_value_response:
            Secret_Json = json.loads(get_secret_value_response['SecretString'])
    if Secret_Json is None:
        print("secret string is null")
        exit()
    driver = 'postgresql+psycopg2://'
    db_user = Secret_Json['username']
    db_pw = Secret_Json['password']
    db_address_port_db = Secret_Json['host'] + \
                         ':' + \
                         str(Secret_Json['port']) + \
                         '/' + \
                         Secret_Json['dbInstanceIdentifier']
    application.config['SQLALCHEMY_TRACK_MODIFICATIONS'] = False
    application.config['SQLALCHEMY_DATABASE_URI'] = driver + db_user + ':' + db_pw + '@' + db_address_port_db
    db = SQLAlchemy(application)
    return db

我遇到一個錯誤，提示找不到憑據

Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/local/lib/python3.7/site-packages/botocore/client.py", line 316, in _api_call
    return self._make_api_call(operation_name, kwargs)
  File "/usr/local/lib/python3.7/site-packages/botocore/client.py", line 622, in _make_api_call
    operation_model, request_dict, request_context)
  File "/usr/local/lib/python3.7/site-packages/botocore/client.py", line 641, in _make_request
    return self._endpoint.make_request(operation_model, request_dict)
  File "/usr/local/lib/python3.7/site-packages/botocore/endpoint.py", line 102, in make_request
    return self._send_request(request_dict, operation_model)
  File "/usr/local/lib/python3.7/site-packages/botocore/endpoint.py", line 132, in _send_request
    request = self.create_request(request_dict, operation_model)
  File "/usr/local/lib/python3.7/site-packages/botocore/endpoint.py", line 116, in create_request
    operation_name=operation_model.name)
  File "/usr/local/lib/python3.7/site-packages/botocore/hooks.py", line 356, in emit
    return self._emitter.emit(aliased_event_name, **kwargs)
  File "/usr/local/lib/python3.7/site-packages/botocore/hooks.py", line 228, in emit
    return self._emit(event_name, kwargs)
  File "/usr/local/lib/python3.7/site-packages/botocore/hooks.py", line 211, in _emit
    response = handler(**kwargs)
  File "/usr/local/lib/python3.7/site-packages/botocore/signers.py", line 90, in handler
    return self.sign(operation_name, request)
  File "/usr/local/lib/python3.7/site-packages/botocore/signers.py", line 160, in sign
    auth.add_auth(request)
  File "/usr/local/lib/python3.7/site-packages/botocore/auth.py", line 357, in add_auth
    raise NoCredentialsError
botocore.exceptions.NoCredentialsError: Unable to locate credentials

請幫我做些什么來解決這個問題？

Answer 1

您必須為您的實例分配一個具有所需權限的IAM 角色：

• 如何將現有 IAM 角色分配給 EC2 實例？
• Amazon EC2 的 IAM 角色

Boto3 將使用該角色的權限來訪問您的資源，例如Secrets Manager 。

例如，該角色可以包括從Secrets Manager讀取的內聯策略：

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "secretsmanager:GetSecretValue",
            "Resource": "<arn-of-your-sercert>"
        }
    ]
}

如果您使用 KMS 加密您的密鑰，則可能還需要 KMS 權限。