OK, so i create an user on AWS web console (with MFA enable, this feature is required for me)
I use it to login the boto.sts and use get_session_token() with MFA token and duration setting
and the return value is the credential
Is that correct that I can use this access/secret in returning value(credential) to access ec2/s3 service
here is my code (I set my IAM user's access/secret key in ~/.boto file in [Credentials] section)
================
import boto
import boto.sts
sts = boto.connect_sts()
tok = sts.get_session_token(duration = 3600, force_new = True, mfa_serial_number = 'arn:aws:iam:xxxxxx:mfa/yyy', mfa_token = 'zzzzzzz')
mykey = str(tok.access_key)
mysecret = str(tok.secret_key)
myec2 = boto.connect_ec2(aws_access_key_id = mykey, aws_secret_access_key = mysecret)
myec2.get_all_instances()
================
and it fails at last line!
it says
AWS was not able to validate the provided access credentials
and my policy attached to the user is
=======
{
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*",
"Condition":{
"Null":{"aws:MultiFactorAuthAge":"false"}
}
}
]
}
=============
I can not figure out what's going on
please help !