Reputation: 109
I cannot give too many details due to confidentiality, but I will try to specify as best as I can.
I have an AWS role that is going to be used to call an API and has the correct permissions. I am using Boto3 to attempt to assume the role.
In my python code I have
sts_client = boto3.client('sts')
response = sts_client.assume_role(
RoleArn="arn:aws:iam::ACCNAME:role/ROLENAME",
RoleSessionName="filler",
)
With this code, I get this error: "An error occurred (InvalidClientTokenId) when calling the AssumeRole operation: The security token included in the request is invalid."
Any help would be appreciated. Thanks
Upvotes: 4
Views: 4377
Reputation: 1646
When you construct the client in this way, e.g. sts_client = boto3.client('sts')
, it uses the boto3 DEFAULT_SESSION
, which pulls from your ~/.aws/credentials
file (possibly among other locations; I did not investigate further).
When I ran into this, the values for aws_access_key_id
, aws_secret_access_key
, and aws_session_token
were stale. Updating them in the default configuration file (or simply overriding them directly in the client
call) resolved this issue:
sts_client = boto3.client('sts',
aws_access_key_id='aws_access_key_id',
aws_secret_access_key='aws_secret_access_key',
aws_session_token='aws_session_token')
As an aside, I found that enabling stream logging was helpful and used the output to dive into the boto3 source code and find the issue: boto3.set_stream_logger('')
.
Upvotes: 2