Correct use of iam roles with boto?

[Tid]

Hi folks, 

I'm looking to move away from embedding credentials in the .aws or .boto files and am having trouble understaning how the logic: 

I can see a role at 

http://169.254.169.254/latest/meta-data/iam/security-credentials/mytestmachine

which I can read for the creds via urllib in python (or wget in a shellscript) but do I use them? 

(I've been looking at http://stackoverflow.com/questions/11129976/boto-issue-with-iam-role ) 

iamtest.py:

==========================================================================

import urllib2

import ast
import boto

resp=urllib2.urlopen('http://169.254.169.254/latest/meta-data/iam/security-credentials/mytestmachine').read()
resp=ast.literal_eval(resp)
print "access:" + resp['AccessKeyId']
print "secret:" + resp['SecretAccessKey']
print "token:" + resp['Token']
#conn = boto.connect_ec2(resp['AccessKeyId'], resp['SecretAccessKey'], resp['Token'])
conn = boto.connect_ec2(resp['AccessKeyId'], resp['SecretAccessKey'])
rs = conn.get_all_reservations()
print rs

=========================================================================

running the above yields the following: 

 <Response><Errors><Error><Code>AuthFailure</Code><Message>AWS was not able to validate the provided access credentials</Message></Error></Errors><RequestID>xxxx</RequestID></Response>

and uncommenting the line for the token gives 

 TypeError: connect_ec2() takes at most 2 arguments (3 given)

The boto version I'm running is 2.36.0

Things I've tried: 

 - made sure the role has full access to list ec2 instances

 - the instance can connect and list instances when I reinstate the .boto file

It's probably me being a muppet, but what am I missing? 

regards

Tid

[Tid]

On Thursday, 25 June 2015 11:42:33 UTC+1, Tid wrote:

It's probably me being a muppet, but what am I missing? 

It was me, well, not being a muppet, but not wholly understanding iam. This works:  

=====================================================================

import boto.ec2

conn = boto.ec2.connect_to_region("eu-west-1")

res = conn.get_all_instances()

for r in res:

        for i in r.instances:

                print r.id, i.id, i.state, i.tags['Name']

=====================================================================

i.e ignore all credential setups - AWS does all that for me - just connect connect and bob's yer uncle. 

General point: Boto needs lots more examples, folks. Anyone got a central repo I can upload to?

cheers

Tid.

[Victor Trac]

The official boto repo is here: https://github.com/boto/boto

But good luck trying to get a PR request merged. There are currently 322 PRs open, many of them with passing tests and documentation. The AWS team seems to have pretty much abandoned working on boto in favor of boto3: https://github.com/boto/boto3

--

Victor Trac

Principal | http://cloudkite.io