Closed pitkley closed 4 days ago
@pitkley since there is no update I will give you the fix from AWS Enterprise support:
You must use a regional STS endpoint when calling the keyvalue api endpoint
Enjoy :)
Hi @pitkley, thanks for reaching out and for your patience. Are you still having trouble with this? If so, could you talk about how you're figuring your region in both Boto3 and AWS CLI? It might also be worthwhile looking at the sts_regional_endpoints
configuration option, which will let you hit a regional endpoint as mentioned above. Thanks!
Greetings! It looks like this issue hasn’t been active in longer than five days. We encourage you to check if this is still an issue in the latest release. In the absence of more information, we will be closing this issue soon. If you find that this is still a problem, please feel free to provide a comment or upvote with a reaction on the initial post to prevent automatic closure. If the issue is already closed, please feel free to open a new one.
Describe the bug
Using the
cloudfront-keyvaluestore
client, trying to invoke thedescribe_key_value_store
function when using an assumed role fails with anAuthentication failed
error. Using an access-key-ID and secret-access-key pair of the target-account works without issues. Both the role tested and the direct access key have the same fullAdministratorAccess
permissions.Expected Behavior
Just like for all other AWS services used with boto3 (at least the ones I have ever used), assuming a role should work with the
cloudfront-keyvaluestore
client and operations likeDescribeKeyValueStore
should not fail.Current Behavior
The
describe_key_value_store
operation fails with this error when using an assumed role:Reproduction Steps
The following is a minimal script that reproduces the error. It expects to be invoked with an environment variable
ASSUMED_IAM_ROLE
set to the ARN of the IAM role that should be assumed.The script will print output like this:
If it were to succeed, the output should look like the following. It has never succeeded in any of my tests.
Possible Solution
No response
Additional Information/Context
Interestingly enough, using the aws-cli (
aws-cli/2.15.2 Python/3.11.6 Darwin/22.6.0 exe/x86_64 prompt/off
) works without issues:Here, the
temporary-profile
profile is configured through the~/.aws/credentials
file after invokingaws sts assume-role --role-arn "$ASSUMED_IAM_ROLE" --role-session-name aws-cli
, looking roughly like this:I have looked at debug-output of both boto3 (through
boto3.set_stream_logger("botocore")
) and the aws-cli (using the--debug
CLI flag). One difference I did notice in the output (which might not be the only one, just one I did notice), is that the aws-cli will have output like this:When running the reproducer-script above with debug output enabled, will have similar
botocore.hooks
log-statements, but showing none of theAuthCredentialsProvider
orAuthSigning
output. (Maybe this is expected, since it does not show for the CloudFrontListKeyValueStores
API-call either.)SDK version used
boto3 1.34.4 (botocore 1.34.4)
Environment details (OS name and version, etc.)
macOS 13.6.3, Python 3.12.1