`get_presigned_url()` does not work with IAM role

[afrachioni]

• Async AWS SDK for Python version: 12.4.0
• Python version: 3.9.16
• Operating System: AWS Linux 2023

Description

• When using get_presigned_url() to generate a pre-signed POST,
• On an instance that does not have AWS access keys,
• But does have AWSS3FullAccess ("Allow" on "s3:*") via IAM role,

The provided link leads to a 403 Forbidden with body

<Error>
    <Code>
        InvalidAccessKeyId
    </Code>
    <Message>
        The AWS Access Key Id you provided does not exist in our records.
    </Message>
    ...
</Error>

If I aws configure an access key associated with the same role, I stop getting this behavior and it works as expected.

Based on some reading, it seems to be a limitation of the JavaScript SDK that only async calls using a callback support IAM auth. This led me to this fine package, and I noticed the README mentions

Updating to aiobotocore 1.0.1 also brings with it support for running inside EKS as well as asyncifying get_presigned_url

where aioboto3 appears to have bumped aiobotocore to 1.0.1 in April of 2020.

So my bold hypothesis is that properly "asyncifying" get_presigned_url() includes hooking into the callback argument of getSignedUrl(), causing IAM auth to be supported. Under that hypothesis, this is a bug rather than a feature request, but I am very much a newcomer to this space, and could be completely off base.

[terricain]

Generating of presigned url's would be aiobotocore's domain, this repo only handles the more boto3 level methods so I'd raise a request there.

[afrachioni]

Got it, thanks for the reply! I'll raise an issue over there.