When using get_presigned_url() to generate a pre-signed POST,
On an instance that does not have AWS access keys,
But does have AWSS3FullAccess ("Allow" on "s3:*") via IAM role,
The provided link leads to a 403 Forbidden with body
<Error>
<Code>
InvalidAccessKeyId
</Code>
<Message>
The AWS Access Key Id you provided does not exist in our records.
</Message>
...
</Error>
If I aws configure an access key associated with the same role, I stop getting this behavior and it works as expected.
Based on some reading, it seems to be a limitation of the JavaScript SDK that only async calls using a callback support IAM auth. This led me to this fine package, and I noticed the README mentions
Updating to aiobotocore 1.0.1 also brings with it support for running inside EKS as well as asyncifying get_presigned_url
where aioboto3 appears to have bumped aiobotocore to 1.0.1 in April of 2020.
So my bold hypothesis is that properly "asyncifying" get_presigned_url() includes hooking into the callback argument of getSignedUrl(), causing IAM auth to be supported. Under that hypothesis, this is a bug rather than a feature request, but I am very much a newcomer to this space, and could be completely off base.
Description
get_presigned_url()
to generate a pre-signed POST,AWSS3FullAccess
("Allow"
on"s3:*"
) via IAM role,The provided link leads to a
403 Forbidden
with bodyIf I
aws configure
an access key associated with the same role, I stop getting this behavior and it works as expected.Based on some reading, it seems to be a limitation of the JavaScript SDK that only async calls using a callback support IAM auth. This led me to this fine package, and I noticed the README mentions
where
aioboto3
appears to have bumpedaiobotocore
to 1.0.1 in April of 2020.So my bold hypothesis is that properly "asyncifying"
get_presigned_url()
includes hooking into thecallback
argument ofgetSignedUrl()
, causing IAM auth to be supported. Under that hypothesis, this is a bug rather than a feature request, but I am very much a newcomer to this space, and could be completely off base.