我正在努力使用mfa aws帐户从python脚本中列出存储桶,但每次运行代码时都会被拒绝。
输出脚本
Enter your MFA Token:899211
{'Credentials': {'AccessKeyId': 'ASIASUXXXXXXXXXXX', 'SecretAccessKey': 'T1Cn9FpXXXXXXXXXXXXXXXXXl', 'SessionToken': 'CCCCCCCCCCCCCCCCCCCCCCCCCCCCXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC=', 'Expiration': datetime.datetime(2020, 4, 22, 10, 0, 21, tzinfo=tzutc())}, 'ResponseMetadata': {'RequestId': '6c05ad08-XXXX-4b2a-XXXX-VVVVVVVVV', 'HTTPStatusCode': 200, 'HTTPHeaders': {'x-amzn-requestid': '6c05ad08-XXXx-XXXX-XXXXXXX-8c4a5b504404', 'content-type': 'text/xml', 'content-length': '804', 'date': 'Wed, 22 Apr 2020 09:00:21 GMT'}, 'RetryAttempts': 0}}
Traceback (most recent call last):
File "aws_connect.py", line 23, in <module>
response_s3 = s3.list_buckets()
File "/home/my_user/.local/lib/python3.6/site-packages/botocore/client.py", line 316, in _api_call
return self._make_api_call(operation_name, kwargs)
File "/home/my_user/.local/lib/python3.6/site-packages/botocore/client.py", line 626, in _make_api_call
raise error_class(parsed_response, operation_name)
botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the ListBuckets operation: Access Denied
my_script.py
#!/usr/bin/env python
import re
import json
import subprocess
import os
import boto3
token = input('Enter your MFA Token:')
client = boto3.client('sts')
response = client.get_session_token(
DurationSeconds=3600,
SerialNumber='arn:aws:iam::18022222222:mfa/mymfauser',
TokenCode=token,
)
print(response)
s3 = boto3.client('s3')
response_s3 = s3.list_buckets()
# Output the bucket names
print('Existing buckets:')
for bucket in response_s3['Buckets']:
print(f' {bucket["Name"]}')
因此,我得到了正确的 accesskeyid , secretAccesskey 和 SesstionToken ,但是我无法列出我的任何内容帐户。
答案 0 :(得分:0)
MFA会话凭据必须传递到boto3.client('s3')
才能使用。最简单的方法是在代码本身中。
例如:
s3 = boto3.client('s3',
aws_access_key_id=response['Credentials']['AccessKeyId'],
aws_secret_access_key=response['Credentials']['SecretAccessKey'],
aws_session_token=response['Credentials']['SessionToken']
)
对于到达这里并需要使用其凭据文件中其他个人资料的任何人,此行即可完成:
boto3.setup_default_session(profile_name='PROFILE_NAME')
最后要确定的是,该用户帐户具有以下允许策略:
s3:ListAllMyBuckets
放在一起,整个脚本如下所示:
#!/usr/bin/env python
import boto3
serial_number = input('Enter your device serial number: ')
token = input('Enter your MFA Token: ')
# This line is necessary if you're using
# a profile other than your default profile
boto3.setup_default_session(profile_name='demo_cli')
client = boto3.client('sts')
response = client.get_session_token(
DurationSeconds=3600,
SerialNumber=serial_number,
TokenCode=token,
)
s3 = boto3.client('s3',
aws_access_key_id=response['Credentials']['AccessKeyId'],
aws_secret_access_key=response['Credentials']['SecretAccessKey'],
aws_session_token=response['Credentials']['SessionToken']
)
response_s3 = s3.list_buckets()
# Output the bucket names
print('Existing buckets:')
for bucket in response_s3['Buckets']:
print(f' {bucket["Name"]}')