Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

STS global endpoint issue for a lambda container image

0

Hi

I am trying to build an API that fetches a list of EC2 instances from an account. I referred to the below blog post for solution.

[https://repost.aws/knowledge-center/iam-validate-access-credentials](blog post)

Without revelaing too much details, I am sharing the python code that I am using to achieve this

sts = boto3.client('sts',region_name=regionCode, endpoint_url=f'https://sts.{regionCode}.amazonaws.com')
    #role_arn = f"arn:aws:iam::{accountId}:role/xxxxxxx"
    role_arn = f"arn:aws:iam::{accountId}:role/xxxxxxx"
    acct = sts.assume_role(RoleArn=role_arn,RoleSessionName="role-session")
    access_key = acct['Credentials']['AccessKeyId']
    secret_access_key = acct['Credentials']['SecretAccessKey']
    session_token = acct['Credentials']['SessionToken']
    ec2 = boto3.client('ec2',
                        aws_access_key_id=access_key,
                        aws_secret_access_key=secret_access_key,
                        aws_session_token=session_token,
                        region_name=regionCode)

here region code and accountId is parameterized which dynamically changes with a new id. Despite all the activity I am getting the below error message whilst invoking the function.

"An error occurred (InvalidClientTokenId) when calling the AssumeRole operation: The security token included in the request is invalid."

Request help as early as possible.

Themen
ServerlosKalkulationManagement & UnternehmensführungSicherheit, Identität & Konformität
Tags
ServerlosAWS LambdaAWS BefehlszeilenschnittstelleAmazon EC2IAM-Richtlinien
Sprache
English
AnirudhWM
gefragt vor 5 Monaten172 Aufrufe
1 Antwort
1

I just ran the script myself and it works fine

  • Who are you running the python code as?
  • Does the python script have the IAM permissions to assume a role?
  • Does the role your assuming trust your role/account your executing the script as?
  • Does the python script your running the script as force MFA?
profile picture
EXPERTE
Gary Mclean
beantwortet vor 5 Monaten
  • AnirudhWM
    vor 5 Monaten

    Hi ,

    Please find my replies

    1. Who are you running the python code as? I am running it as an IAM user with AK and SAK enabled with a self managed IAM policy
    2. Does the python script have the IAM permissions to assume a role? Yes it does , sts:assumeRole is enabled in the trust policy
    3. Does the role your assuming trust your role/account your executing the script as? Yes
    4. Does the python script your running the script as force MFA? no
  • Gary Mclean EXPERTE
    vor 5 Monaten

    I cant reproduce your issue with my setup. The only time I have seen this before is when the IAM user has MFA enforced for CLi Access.

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt