CODEWITHSUNDEEP
amazon-web-servicesboto3
raphaelauv
raphaelauv

Reputation: 980

boto3 s3 role arn

I can't use boto3 to connect to S3 with a role arn provided 100% programmatically.

session = boto3.Session(role_arn="arn:aws:iam::****:role/*****",
                        RoleSessionName="****")

s3_client = boto3.client('s3',
                         aws_access_key_id="****",
                         aws_secret_access_key="****")

for b in s3_client.list_buckets()["Buckets"]:
    print (b["Name"])

I can't provide arn info to Session and also client and there is no assume_role() on a client based on s3.

I found a way with a sts temporary token but I don't like that.

sess = boto3.Session(aws_access_key_id="*****",
                     aws_secret_access_key="*****")
sts_connection = sess.client('sts')
assume_role_object = sts_connection.assume_role(RoleArn="arn:aws:iam::***:role/******",
                                                RoleSessionName="**",
                                                DurationSeconds=3600)

session = boto3.Session(
    aws_access_key_id=assume_role_object['Credentials']['AccessKeyId'],
    aws_secret_access_key=assume_role_object['Credentials']['SecretAccessKey'],
    aws_session_token=assume_role_object['Credentials']['SessionToken'])

s3_client = session.client('s3')

for b in s3_client.list_buckets()["Buckets"]:
    print (b["Name"])

Do you have any idea ?

Upvotes: 3

Views: 16936

Answers (2)

John Hanley
John Hanley

Reputation: 81454

You need to understand how temporary credentials are created.

First you need to create a client using your current access keys. These credentials are then used to verify that you have the permissions to call assume_role and have the rights to issue credentials from the IAM role.

If someone could do it your way, there would be a HUGE security hole with assume_role. Your rights must be validated first, then you can issue temporary credentials.

Upvotes: 1

John Rotenstein
John Rotenstein

Reputation: 270089

Firstly, never put an Access Key and Secret Key in your code. Always store credentials in a ~/.aws/credentials file (eg via aws configure). This avoids embarrassing situations where your credentials are accidentally released to the world. Also, if you are running on an Amazon EC2 instance, then simply assign an IAM Role to the instance and it will automatically obtain credentials.

An easy way to assume a role in boto3 is to store the role details in the credentials file with a separate profile. You can then reference the profile when creating a client and boto3 will automatically call assume-role on your behalf.

See: boto3: Assume Role Provider

Upvotes: 0

Related Questions