(使用CLI)AWS无法验证提供的访问凭据

时间:2017-05-24 09:28:41

标签: amazon-web-services boto3 aws-sts

执行aws cli命令时出现以下错误:aws ec2 describe-instances --filters "Name=instance-type,Values=m1.small"

A client error (AuthFailure) occurred when calling the DescribeInstances operation: AWS was not able to validate the provided access credentials

凭据来自以下脚本:

import boto3

sts_client = boto3.client('sts')

assumedRoleObject = sts_client.assume_role(
    RoleArn="arn:aws:iam::<>:role/service-role/Test-Project",
    RoleSessionName="AssumeRoleSession2"
)
credentials = assumedRoleObject['Credentials']

print credentials['AccessKeyId']
print "#"*100
print credentials['SecretAccessKey']
print "#"*100
print credentials['SessionToken']
print "#"*100

我已经测试了在该角色上启用Admin Access。还是行不通。

角色的信任关系如下:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "*",
          "arn:aws:iam::<>:user/<username>"
        ],
        "Service": [
          "lambda.amazonaws.com",
          "ec2.amazonaws.com"
        ]
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

1 个答案:

答案 0 :(得分:0)

我只能想到两个原因,为什么它不起作用,只需检查它是否适合你的情况。

只是为了确保您在会话中输出所有3个变量,即

export AWS_ACCESS_KEY_ID="ASIAI******JQ"
export AWS_SECRET_ACCESS_KEY="n******u1pRocjL"
export AWS_SESSION_TOKEN="FQ*****vKJKTisUF"

或者如果您在本地计算机上使用凭证文件,则其中包含所有3个变量,并且在默认配置文件下也是如此。

此外,由于会话令牌默认有效一小时,只需检查您的机器时间是否不同步(可能性较小但值得检查。)