Amazon web services 无法通过AWS配置文件担任角色
我们总是使用以下方法在远程机器上担任超过一小时的角色:Amazon web services 无法通过AWS配置文件担任角色,amazon-web-services,amazon-iam,botocore,Amazon Web Services,Amazon Iam,Botocore,我们总是使用以下方法在远程机器上担任超过一小时的角色: # Prep environment to use roles. unset AWS_CONFIG_FILE unset AWS_DEFAULT_REGION unset AWS_DEFAULT_PROFILE CONFIG_FILE=$(mktemp) # Creates temp file with instance profile credentials as default # AWS_ACCESS_KEY_ID, AWS_SE
# Prep environment to use roles.
unset AWS_CONFIG_FILE
unset AWS_DEFAULT_REGION
unset AWS_DEFAULT_PROFILE
CONFIG_FILE=$(mktemp)
# Creates temp file with instance profile credentials as default
# AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, ROLE_ARN are available from the environment.
printf "[default]\naws_access_key_id=$AWS_ACCESS_KEY_ID\naws_secret_access_key=$AWS_SECRET_ACCESS_KEY\n[profile role_profile]\nrole_arn = $ROLE_ARN\nsource_profile = default" > $CONFIG_FILE
# make sure instance profile takes precedence
unset AWS_ACCESS_KEY_ID
unset AWS_SECRET_ACCESS_KEY
unset AWS_SESSION_TOKEN
export AWS_CONFIG_FILE=$CONFIG_FILE
export AWS_DEFAULT_REGION=us-east-1
export AWS_DEFAULT_PROFILE=role_profile
不幸的是,这种方法最近开始失败。我们只需运行以下命令即可重现故障:
aws sts get-caller-identity
将--debug
标志添加到最后一个命令:
09:11:47 2018-06-21 14:11:47,731 - MainThread - awscli.clidriver - DEBUG - CLI version: aws-cli/1.15.40 Python/2.7.12 Linux/4.9.76-3.78.amzn1.x86_64 botocore/1.10.40
...
09:11:47 2018-06-21 14:11:47,811 - MainThread - botocore.hooks - DEBUG - Event choose-signer.sts.GetCallerIdentity: calling handler <function set_operation_specific_signer at 0x7f22d19a6ed8>
09:11:47 2018-06-21 14:11:47,812 - MainThread - botocore.credentials - WARNING - Refreshing temporary credentials failed during mandatory refresh period.
09:11:47 Traceback (most recent call last):
09:11:47 File "/var/lib/jenkins/.local/lib/python2.7/site-packages/botocore/credentials.py", line 432, in _protected_refresh
...
09:11:47 raise KeyError(cache_key)
09:11:47 KeyError: 'xxxx' (redacted)
09:11:47 2018-06-21 14:11:47,814 - MainThread - awscli.clidriver - DEBUG - Exiting with rc 255
09:11:47 2018-06-21 14:11:47731-主线程-awscli.clidriver-调试-CLI版本:aws CLI/1.15.40 Python/2.7.12 Linux/4.9.76-3.78.amzn1.x86_64 botocore/1.10.40
...
09:11:47 2018-06-21 14:11:47811-主线程-botocore.hooks-调试-事件选择-signer.sts.GetCallerIdentity:调用处理程序
09:11:47 2018-06-21 14:11:47812-主线程-botocore.credentials-警告-在强制刷新期间刷新临时凭据失败。
09:11:47回溯(最近一次呼叫最后一次):
09:11:47文件“/var/lib/jenkins/.local/lib/python2.7/site packages/botocore/credentials.py”,第432行,在受保护的刷新中
...
09:11:47升起键错误(缓存键)
09:11:47键错误:“xxxx”(已编辑)
09:11:47 2018-06-21 14:11:47814-主线程-awscli.clidriver-调试-使用rc 255退出
显然,Python“缓存”字典中缺少一个键。显而易见的解决方案就是找到并删除缓存:
rm ~/.aws/cli/cache
但这并不能解释这是如何开始发生的(以及它是否会再次发生)。有人能解释一下发生了什么吗?也许,
~/.aws/cli
中的权限是错误的
检查权限:
ls -la ~/.aws/cli
ls -la ~/.aws/cli/cache
您的文件可能具有错误的权限或所有权。更正它们,aws cli命令将正常工作
~/.aws/cli/cache
中的文件所需的权限为-rw------
希望能有帮助