Hi all, I am trying to use boto3 to do some KMS operation. I keeping getting an error that my security token is invalid. I've went through various posts I could find and was not able to find any resolution.
Things I have checked so far
- I am not using any special region. Everything is just in standard us-east-1 nothing fancy.
- I have created a user that has AdministratorAccess and created security access credentials for this user
- Have tried putting these into credentials file + supplying through client() constructor
My code snippet
import boto3
aws_access_key_id = "XXX"
aws_secret_access_key = "XXX"
client = boto3.client('sts',
aws_access_key_id=aws_access_key_id,
aws_secret_access_key=aws_secret_access_key,
)
resp = client.get_session_token()
key = resp['Credentials']['AccessKeyId']
secret = resp['Credentials']['SecretAccessKey']
session_token = resp['Credentials']['SessionToken']
client = boto3.client(
'kms',
aws_access_key_id="\"" + key + "\"",
aws_secret_access_key="\"" + secret + "\"",
aws_session_token="\"" + session_token + "\""
)
response = client.generate_data_key_pair_without_plaintext(
KeyId='XXX',
KeyPairSpec='ECC_NIST_P384',
)
My code fails on the last line...
Traceback (most recent call last):
File "C:\pathToTestScript.py", line 28, in <module>
response = client.generate_data_key_pair_without_plaintext(
File "C:\Users\benarnao\AppData\Roaming\Python\Python310\site-packages\botocore\client.py", line 530, in _api_call
return self._make_api_call(operation_name, kwargs)
File "C:\Users\benarnao\AppData\Roaming\Python\Python310\site-packages\botocore\client.py", line 961, in _make_api_call
raise error_class(parsed_response, operation_name)
botocore.exceptions.ClientError: An error occurred (UnrecognizedClientException) when calling the GenerateDataKeyPairWithoutPlaintext operation: The security token included in the request is invalid.
I am able to get the session token from STS, and notice this returns a temporary key and secret as well. I have tried the new set of credentials as well the existing credentials + security token with no luck.
For some reason the key and secret require surrounding quotes when supplying through client() constructor, I have tried this with and without for the session token parameter.
Any ideas?