Re: [boto-users] Boto & GovCloud

[Mitchell Garnaat]

Hi -

I have attached a small script I created a while ago to help someone access GovCloud with boto.  I haven't personally tested it and it may be out of date but I would be interested in your feedback so that we could try to get something added to boto-proper in the near future.

Once you save this govcloud.py file somewhere (and make sure it is in your Python path) you can do the following:

Add a section like this in your boto config file::

    [Credentials]

    govcloud_access_key = <access key>

    govcloud_secret_key = <secret key>

And then you should be able to do this::

    >>> import govcloud

    >>> ec2 = govcloud.connect_ec2()

Mitch

On Sun, Apr 7, 2013 at 11:19 AM, Andrew Philpot <andrew....@gmail.com> wrote:

Does boto support use in AWS GovCloud?  I get credential validation errors (for all APIs) with my GC-targeted credentials.  If so, is there a tutorial specifically mentioning use in this region/availability area?

e.g.:

>>> boto.ec2.regions(aws_access_key_id="AKIA****************", aws_secret_access_key="***********")
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python2.7/site-packages/boto/ec2/__init__.py", line 39, in regions
    return c.get_all_regions()
  File "/usr/lib/python2.7/site-packages/boto/ec2/connection.py", line 1412, in get_all_regions
    return self.get_list('DescribeRegions', None, [('item', RegionInfo)])
  File "/usr/lib/python2.7/site-packages/boto/connection.py", line 616, in get_list
    raise self.ResponseError(response.status, response.reason, body)
boto.exception.EC2ResponseError: EC2ResponseError: 401 Unauthorized
<?xml version="1.0" encoding="UTF-8"?>
<Response><Errors><Error><Code>AuthFailure</Code><Message>AWS was not able to validate the provided access credentials</Message></Error></Errors><RequestID>a3e5e5c2-405b-4ce6-bc01-3c9902c2460d</RequestID></Response>
>>>

--
You received this message because you are subscribed to the Google Groups "boto-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to boto-users+...@googlegroups.com.
To post to this group, send email to boto-...@googlegroups.com.
Visit this group at http://groups.google.com/group/boto-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

[Andrew Philpot]

Thanks a lot!
I have managed to make some things work with this script.
I have been able to connect to S3, put a file, etc.
I have not been able to create a bucket.  Am suspecting Location/Region defaulting/lookup here.

Would you consider add an S3-GC-specific region, a la the attached?  (Probably there are other similar config edits as well)

Thanks again.
Andrew

[Andrew Philpot]

Have also updated boto/sqs/__init__, boto/ec2/__init, and boto/s3/__init to try to add support for govcloud region there and have attempted to extend govcloud.py per the attached.  But I'm still getting authentication errors as if my credentials and endpoint don't match.

boto.https_connection.InvalidCertificateException: Host sqs.us-gov-west-1.amazonaws.com returned an invalid certificate (remote hostname "sqs.us-gov-west-1.amazonaws.com" does not match certificate): {'notAfter': 'Aug  6 23:59:59 2013 GMT', 'subject': ((('countryName', u'US'),), (('stateOrProvinceName', u'Washington'),), (('localityName', u'Seattle'),), (('organizationName', u'Amazon.com Inc.'),), (('commonName', u'us-gov-west-1.queue.amazonaws.com'),))}

[Mitchell Garnaat]

First, thanks for moving this forward.  It's an important capability and I appreciate your help with it.

The error you are getting is because boto is unable to verify the SSL certificate used on the govcloud SQS endpoint.  I suspect you are using a version of Python < 2.7.3.  Is that correct?  There is a bug in all Python versions prior to 2.7.3 that makes it impossible to find the subjectAltName stored in the SSL certificate.  So, if the commonName does not exactly match the hostname boto is using, you will get this error.

There are a couple of things you can do.

You could upgrade to Python >= 2.7.3.

You could disable SSL verification.  This is done by passing a "validate_certs=False" when you create the service connection object.

You could change the hostname that boto is using to match the commonName in the SSL certificate.  The commonName is "us-gov-west-1.queue.amazonaws.com" so if you make sure the govcloud region uses that host for SQS, it should be able to verify the SSL cert.

Mitch

[Andrew Philpot]

I've been using 2.7 on some hosts, 2.6.x on others (particularly those where yum depends on system python 2.6, such as the ec2 AMI type I started with).

I've been putting off using virtualenv, but this seems like the perfect reason to take that bite.

I'll put that on my list and loop back with you when I have both devel and deployment machines able to use >=2.7.3.

Thanks,

Andrew

--
You received this message because you are subscribed to a topic in the Google Groups "boto-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/boto-users/NEgleyVYpcg/unsubscribe?hl=en.
To unsubscribe from this group and all its topics, send an email to boto-users+...@googlegroups.com.

To post to this group, send email to boto-...@googlegroups.com.
Visit this group at http://groups.google.com/group/boto-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

--
Andrew Philpot
andrew....@gmail.com