By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

STS global endpoint issue for a lambda container image

0

Hi

I am trying to build an API that fetches a list of EC2 instances from an account. I referred to the below blog post for solution.

[https://repost.aws/knowledge-center/iam-validate-access-credentials](blog post)

Without revelaing too much details, I am sharing the python code that I am using to achieve this

sts = boto3.client('sts',region_name=regionCode, endpoint_url=f'https://sts.{regionCode}.amazonaws.com')
    #role_arn = f"arn:aws:iam::{accountId}:role/xxxxxxx"
    role_arn = f"arn:aws:iam::{accountId}:role/xxxxxxx"
    acct = sts.assume_role(RoleArn=role_arn,RoleSessionName="role-session")
    access_key = acct['Credentials']['AccessKeyId']
    secret_access_key = acct['Credentials']['SecretAccessKey']
    session_token = acct['Credentials']['SessionToken']
    ec2 = boto3.client('ec2',
                        aws_access_key_id=access_key,
                        aws_secret_access_key=secret_access_key,
                        aws_session_token=session_token,
                        region_name=regionCode)

here region code and accountId is parameterized which dynamically changes with a new id. Despite all the activity I am getting the below error message whilst invoking the function.

"An error occurred (InvalidClientTokenId) when calling the AssumeRole operation: The security token included in the request is invalid."

Request help as early as possible.

Topics
ServerlessComputeManagement & GovernanceSecurity, Identity, & Compliance
Tags
ServerlessAWS LambdaAWS Command Line InterfaceAmazon EC2IAM Policies
Language
English
AnirudhWM
asked 4 months ago162 views
1 Answer
1

I just ran the script myself and it works fine

  • Who are you running the python code as?
  • Does the python script have the IAM permissions to assume a role?
  • Does the role your assuming trust your role/account your executing the script as?
  • Does the python script your running the script as force MFA?
profile picture
EXPERT
Gary Mclean
answered 4 months ago
  • AnirudhWM
    4 months ago

    Hi ,

    Please find my replies

    1. Who are you running the python code as? I am running it as an IAM user with AK and SAK enabled with a self managed IAM policy
    2. Does the python script have the IAM permissions to assume a role? Yes it does , sts:assumeRole is enabled in the trust policy
    3. Does the role your assuming trust your role/account your executing the script as? Yes
    4. Does the python script your running the script as force MFA? no
  • Gary Mclean EXPERT
    4 months ago

    I cant reproduce your issue with my setup. The only time I have seen this before is when the IAM user has MFA enforced for CLi Access.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content