使用python boto中的cognito获取AWS凭据

时间:2015-06-23 15:51:49

标签: python amazon-web-services boto amazon-cognito aws-sts

我试图模仿我的服务器应用程序的流程,使用我自己的身份验证为移动设备创建临时访问/密钥对。移动设备与我的服务器通信,最终结果是它获得了AWS凭证。

我将Cognito与自定义开发人员后端see documentation here结合使用。

为此,我已经制作了下面的脚本,但我的秘密/访问密钥凭据不起作用:

Private Sub CommandButton5_Click()
Dim i As Integer
Dim col As Integer
Dim canadaTotal As Integer
Dim search As String
Dim canadaCheck As Long
i = 1
col = 4
canadaTotal = 0

Worksheets("sheet1").Activate

While Not Worksheets("Sheet1").Cells(i, col).Value = ""
search = Cells(i, col).Value

If IsNumeric(InStr(0, search, "CAN")) Then


canadaTotal = canadaTotal + Cells(i, col).Offset(0, 6).Value

End If

i = i + 1

Wend
MsgBox (canadaTotal)
End Sub

我对指数退避的想法是,Cognito可能需要一段时间来传播新的访问/密钥对,因此我可能需要等待(如果是这样的话,这是非常不可接受的!)。

然而,这个脚本运行了10分钟并且没有成功,这让我相信问题是别的。

控制台打印出来:

import time
import traceback 
from boto.cognito.identity.layer1 import CognitoIdentityConnection
from boto.sts import STSConnection
from boto.s3.connection import S3Connection
from boto.s3.key import Key


AWS_ACCESS_KEY_ID = "XXXXX"
AWS_SECRET_ACCESS_KEY = "XXXXXX"


# get token
iden_pool_id = "us-east-1:xxx-xxx-xxx-xxxx-xxxx"
role_arn = "arn:aws:iam::xxxx:role/xxxxxxx"
user_id = "xxxx"
role_session_name = "my_session_name_here"
bucket_name = 'xxxxxxxxxx'


connection = CognitoIdentityConnection(aws_access_key_id=AWS_ACCESS_KEY_ID, aws_secret_access_key=AWS_SECRET_ACCESS_KEY)

web_identity_token = connection.get_open_id_token_for_developer_identity(
    identity_pool_id=iden_pool_id, 
    logins={"xxxxxxxxx" : user_id}, 
    identity_id=None, 
    token_duration=3600)


# use token to get credentials
sts_conn = STSConnection(aws_access_key_id=AWS_ACCESS_KEY_ID, aws_secret_access_key=AWS_SECRET_ACCESS_KEY)
result = sts_conn.assume_role_with_web_identity(
    role_arn, 
    role_session_name, 
    web_identity_token['Token'], 
    provider_id=None, 
    policy=None, 
    duration_seconds=3600)

print "The user now has an access ID (%s) and a secret access key (%s) and a session/security token (%s)!" % (
    result.credentials.access_key, result.credentials.secret_key, result.credentials.session_token)

# just use any call that tests if these credentials work
from boto.ec2.connection import EC2Connection
ec2 = EC2Connection(result.credentials.access_key, result.credentials.secret_key, security_token=result.credentials.session_token)
wait = 1
cumulative_wait_time = 0
while True:
    try:
        print ec2.get_all_regions()
        break
    except Exception as e:
        print e, traceback.format_exc()
        time.sleep(2**wait)
        cumulative_wait_time += 2**wait
        print "Waited for:", cumulative_wait_time
        wait += 1

有什么想法吗?

1 个答案:

答案 0 :(得分:3)

您正在从assume_role_with_web_identity调用的结果中正确提取访问密钥和密钥。但是,使用临时凭证时,还需要使用结果中的安全令牌。

这是描述你需要做什么的伪代码: http://docs.aws.amazon.com/STS/latest/UsingSTS/using-temp-creds.html#using-temp-creds-sdk

另请注意EC2Connection的security_token参数 http://boto.readthedocs.org/en/latest/ref/ec2.html#boto.ec2.connection.EC2Connection

希望这可以解决问题

-Mark