Re: [boto-users] how to get the session token by boto.sts?

1,379 views
Skip to first unread message

Chris Moyer

unread,
Oct 8, 2012, 8:10:45 PM10/8/12
to boto-...@googlegroups.com
You want to look at IAM users and permissions. You can create IAM users through the boto.iam module, or through the AWS console. Either way, you'll end up with a unique set of credentials for each IAM user, not a session token. The session tokens are designed for Temporary access, like what happens with IAM roles.

On Mon, Oct 8, 2012 at 11:43 AM, samuelololol <samue...@gmail.com> wrote:
       I want to use IAM user(with mfa enable) to access ec2, and I want this operation 
goes completely without access/secret key of root. 

       it seems like that the solution is using the class method get_session_token of 
boto.sts.STSConnection. But the problem is that I am not able to use boto.sts.STSConnectoin 
without an set of access/secret key for creating boto.sts.STSConnection instance.
(I want that set of key is generated by session_token Crendentials info)
how can I do ? thanks!!

--
You received this message because you are subscribed to the Google Groups "boto-users" group.
To view this discussion on the web visit https://groups.google.com/d/msg/boto-users/-/s4bGg_TYk-wJ.
To post to this group, send email to boto-...@googlegroups.com.
To unsubscribe from this group, send email to boto-users+...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/boto-users?hl=en.



--
Chris Moyer

samuelololol

unread,
Oct 9, 2012, 5:48:01 AM10/9/12
to boto-...@googlegroups.com
OK, so i create an user on AWS web console (with MFA enable, this feature is required for me)
I use it to login the boto.sts and use get_session_token() with MFA token and duration setting
and the return value is the credential

Is that correct that I can use this access/secret in returning value(credential) to access ec2/s3 service 
here is my code (I set my IAM user's access/secret key in  ~/.boto file in [Credentials] section)
================
import boto
import boto.sts
sts = boto.connect_sts()
tok = sts.get_session_token(duration = 3600, force_new = True, mfa_serial_number = 'arn:aws:iam:xxxxxx:mfa/yyy', mfa_token = 'zzzzzzz')
mykey = str(tok.access_key)
mysecret = str(tok.secret_key)
myec2 = boto.connect_ec2(aws_access_key_id = mykey, aws_secret_access_key = mysecret)
myec2.get_all_instances()
================

and it fails at last line!
it says

AWS was not able to validate the provided access credentials 


and my policy attached to the user is 
=======
{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "*",
      "Resource": "*",
      "Condition":{
        "Null":{"aws:MultiFactorAuthAge":"false"}
      }
    }
  ]
}
=============


I can not figure out what's going on 
please help !

Mitchell Garnaat

unread,
Oct 9, 2012, 11:37:43 AM10/9/12
to boto-...@googlegroups.com
Hi -

You can use session credentials for any AWS call but you have to make sure you pass in the session token, in addition to the access key and secret key, associated with the session credentials when you create the connection.  So, in your particular case:

import boto
import boto.sts
sts = boto.connect_sts()
tok = sts.get_session_token(duration = 3600, force_new = True, mfa_serial_number = 'arn:aws:iam:xxxxxx:mfa/yyy', mfa_token = 'zzzzzzz')
myec2 = boto.connect_ec2(tok.access_key, tok.secret_key, security_token=tok.session_token)
myec2.get_all_instances()

Should work.

Mitch

To view this discussion on the web visit https://groups.google.com/d/msg/boto-users/-/YyIsk8T8xBIJ.

Mitchell Garnaat

unread,
Oct 9, 2012, 1:16:24 PM10/9/12
to boto-...@googlegroups.com
BTW, if your goal is to get limited credentials installed onto on EC2 instance as easily and securely as possible, I would highly recommend that you check out IAM Roles.  You create a policy, just as with a user, but you then associate that policy with an IAM Role.  That Role is then associated with an InstanceProfile.  Then, when you launch an instance, you can specify the InstanceProfile at launch time and EC2 handles all of the details of getting short-lived, limited credentials on the EC2 instance automatically.  Boto will automatically find those credentials and use them and the really neat part is that the credentials are automatically rotated every few hours.

It's easy to use and, by far, the most secure way I know of getting credentials onto an EC2 instance.

Mitch

samuelololol

unread,
Oct 11, 2012, 5:53:58 AM10/11/12
to boto-...@googlegroups.com, mi...@garnaat.com
Thank you Chris and Mitchell, It works!

And there is another question here :(
As Mitchell say, Role is really neat design for the security issue,
is that possible for 'Role' to work with MFA mechanism? I'd prefer the MFA but it only allow IAM user,
that's why I use IAM user and STS module with MFA here.

Thanks !!

Chris Moyer

unread,
Oct 17, 2012, 3:34:22 PM10/17/12
to boto-...@googlegroups.com, mi...@garnaat.com
Roles and MFA are essentially both doing the same thing. With the MFA it's two-factor authentication using both "knows-something" (the credentials) and "has-something" (the MFA device). With an IAM Role, the "has-something" is replaced with an "is-something" (an Instance attached to your account). The credentials provided on a Role are temporary, just like with an MFA.

If you're using an MFA, keep in mind that you're going to have to manually re-enter that MFA token periodically to keep your service running. That's probably not something you want to do.

To view this discussion on the web visit https://groups.google.com/d/msg/boto-users/-/LpRPkYbL5fcJ.

To post to this group, send email to boto-...@googlegroups.com.
To unsubscribe from this group, send email to boto-users+...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/boto-users?hl=en.



--
Chris Moyer
Reply all
Reply to author
Forward
0 new messages