I'm looking to move away from embedding credentials in the .aws or .boto files and am having trouble understaning how the logic:
http://169.254.169.254/latest/meta-data/iam/security-credentials/mytestmachine
which I can read for the creds via urllib in python (or wget in a shellscript) but do I use them?
(I've been looking at http://stackoverflow.com/questions/11129976/boto-issue-with-iam-role )
iamtest.py:
==========================================================================
import urllib2
import ast
import boto
resp=urllib2.urlopen('http://169.254.169.254/latest/meta-data/iam/security-credentials/mytestmachine').read()
resp=ast.literal_eval(resp)
print "access:" + resp['AccessKeyId']
print "secret:" + resp['SecretAccessKey']
print "token:" + resp['Token']
#conn = boto.connect_ec2(resp['AccessKeyId'], resp['SecretAccessKey'], resp['Token'])
conn = boto.connect_ec2(resp['AccessKeyId'], resp['SecretAccessKey'])
rs = conn.get_all_reservations()
print rs
=========================================================================
running the above yields the following:
<Response><Errors><Error><Code>AuthFailure</Code><Message>AWS was not able to validate the provided access credentials</Message></Error></Errors><RequestID>xxxx</RequestID></Response>
and uncommenting the line for the token gives
TypeError: connect_ec2() takes at most 2 arguments (3 given)
The boto version I'm running is 2.36.0
Things I've tried:
- made sure the role has full access to list ec2 instances
- the instance can connect and list instances when I reinstate the .boto file
It's probably me being a muppet, but what am I missing?
regards
Tid