Usando AWS re:Post, accetti AWS re:Post Termini di utilizzo
AWS re:Postre:Post

STS global endpoint issue for a lambda container image

0

Hi

I am trying to build an API that fetches a list of EC2 instances from an account. I referred to the below blog post for solution.

[https://repost.aws/knowledge-center/iam-validate-access-credentials](blog post)

Without revelaing too much details, I am sharing the python code that I am using to achieve this

sts = boto3.client('sts',region_name=regionCode, endpoint_url=f'https://sts.{regionCode}.amazonaws.com')
    #role_arn = f"arn:aws:iam::{accountId}:role/xxxxxxx"
    role_arn = f"arn:aws:iam::{accountId}:role/xxxxxxx"
    acct = sts.assume_role(RoleArn=role_arn,RoleSessionName="role-session")
    access_key = acct['Credentials']['AccessKeyId']
    secret_access_key = acct['Credentials']['SecretAccessKey']
    session_token = acct['Credentials']['SessionToken']
    ec2 = boto3.client('ec2',
                        aws_access_key_id=access_key,
                        aws_secret_access_key=secret_access_key,
                        aws_session_token=session_token,
                        region_name=regionCode)

here region code and accountId is parameterized which dynamically changes with a new id. Despite all the activity I am getting the below error message whilst invoking the function.

"An error occurred (InvalidClientTokenId) when calling the AssumeRole operation: The security token included in the request is invalid."

Request help as early as possible.

Argomenti
ServerlessComputazionaliGestione e amministrazioneSicurezza, identità e conformità
Tag
ServerlessAWS LambdaInterfaccia a riga di comando AWSAmazon EC2Politiche IAM
Lingua
English
AnirudhWM
posta 5 mesi fa172 visualizzazioni
1 Risposta
1

I just ran the script myself and it works fine

  • Who are you running the python code as?
  • Does the python script have the IAM permissions to assume a role?
  • Does the role your assuming trust your role/account your executing the script as?
  • Does the python script your running the script as force MFA?
profile picture
ESPERTO
Gary Mclean
con risposta 5 mesi fa
  • AnirudhWM
    5 mesi fa

    Hi ,

    Please find my replies

    1. Who are you running the python code as? I am running it as an IAM user with AK and SAK enabled with a self managed IAM policy
    2. Does the python script have the IAM permissions to assume a role? Yes it does , sts:assumeRole is enabled in the trust policy
    3. Does the role your assuming trust your role/account your executing the script as? Yes
    4. Does the python script your running the script as force MFA? no
  • Gary Mclean ESPERTO
    5 mesi fa

    I cant reproduce your issue with my setup. The only time I have seen this before is when the IAM user has MFA enforced for CLi Access.

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande

Contenuto pertinente