Python ListBucket操作:访问被拒绝-aws mfa令牌
我正在努力使用我的mfa aws帐户列出python脚本中的bucket,但每次运行代码时都会被拒绝 输出脚本Python ListBucket操作:访问被拒绝-aws mfa令牌,python,amazon-web-services,amazon-s3,Python,Amazon Web Services,Amazon S3,我正在努力使用我的mfa aws帐户列出python脚本中的bucket,但每次运行代码时都会被拒绝 输出脚本 Enter your MFA Token:899211 {'Credentials': {'AccessKeyId': 'ASIASUXXXXXXXXXXX', 'SecretAccessKey': 'T1Cn9FpXXXXXXXXXXXXXXXXXl', 'SessionToken': 'CCCCCCCCCCCCCCCCCCCCCCCCCCCCXXXXXXXXXXXXXXXXXXXX
Enter your MFA Token:899211
{'Credentials': {'AccessKeyId': 'ASIASUXXXXXXXXXXX', 'SecretAccessKey': 'T1Cn9FpXXXXXXXXXXXXXXXXXl', 'SessionToken': 'CCCCCCCCCCCCCCCCCCCCCCCCCCCCXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC=', 'Expiration': datetime.datetime(2020, 4, 22, 10, 0, 21, tzinfo=tzutc())}, 'ResponseMetadata': {'RequestId': '6c05ad08-XXXX-4b2a-XXXX-VVVVVVVVV', 'HTTPStatusCode': 200, 'HTTPHeaders': {'x-amzn-requestid': '6c05ad08-XXXx-XXXX-XXXXXXX-8c4a5b504404', 'content-type': 'text/xml', 'content-length': '804', 'date': 'Wed, 22 Apr 2020 09:00:21 GMT'}, 'RetryAttempts': 0}}
Traceback (most recent call last):
File "aws_connect.py", line 23, in <module>
response_s3 = s3.list_buckets()
File "/home/my_user/.local/lib/python3.6/site-packages/botocore/client.py", line 316, in _api_call
return self._make_api_call(operation_name, kwargs)
File "/home/my_user/.local/lib/python3.6/site-packages/botocore/client.py", line 626, in _make_api_call
raise error_class(parsed_response, operation_name)
botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the ListBuckets operation: Access Denied
因此,我得到了正确的accesskeyid、secretAccesskey以及SesstionToken,但我无法从我的帐户中列出任何内容。必须将MFA会话凭据传递给
两个客户端(“s3”)
。最简单的方法是在代码本身
例如:
s3 = boto3.client('s3',
aws_access_key_id=response['Credentials']['AccessKeyId'],
aws_secret_access_key=response['Credentials']['SecretAccessKey'],
aws_session_token=response['Credentials']['SessionToken']
)
对于到达此处并需要使用不同于其凭据文件的配置文件的任何人,这是通过以下行完成的:
boto3.setup_default_session(profile_name='PROFILE_NAME')
最后要确保的是,用户帐户具有以下各项的允许策略:
s3:ListAllMyBuckets
总而言之,整个脚本如下所示:
#!/usr/bin/env python
import boto3
serial_number = input('Enter your device serial number: ')
token = input('Enter your MFA Token: ')
# This line is necessary if you're using
# a profile other than your default profile
boto3.setup_default_session(profile_name='demo_cli')
client = boto3.client('sts')
response = client.get_session_token(
DurationSeconds=3600,
SerialNumber=serial_number,
TokenCode=token,
)
s3 = boto3.client('s3',
aws_access_key_id=response['Credentials']['AccessKeyId'],
aws_secret_access_key=response['Credentials']['SecretAccessKey'],
aws_session_token=response['Credentials']['SessionToken']
)
response_s3 = s3.list_buckets()
# Output the bucket names
print('Existing buckets:')
for bucket in response_s3['Buckets']:
print(f' {bucket["Name"]}')
MFA会话凭据必须传递到boto3.client('s3'),才能使用。最简单的方法是在代码本身 例如:
s3 = boto3.client('s3',
aws_access_key_id=response['Credentials']['AccessKeyId'],
aws_secret_access_key=response['Credentials']['SecretAccessKey'],
aws_session_token=response['Credentials']['SessionToken']
)
对于到达此处并需要使用不同于其凭据文件的配置文件的任何人,这是通过以下行完成的:
boto3.setup_default_session(profile_name='PROFILE_NAME')
最后要确保的是,用户帐户具有以下各项的允许策略:
s3:ListAllMyBuckets
总而言之,整个脚本如下所示:
#!/usr/bin/env python
import boto3
serial_number = input('Enter your device serial number: ')
token = input('Enter your MFA Token: ')
# This line is necessary if you're using
# a profile other than your default profile
boto3.setup_default_session(profile_name='demo_cli')
client = boto3.client('sts')
response = client.get_session_token(
DurationSeconds=3600,
SerialNumber=serial_number,
TokenCode=token,
)
s3 = boto3.client('s3',
aws_access_key_id=response['Credentials']['AccessKeyId'],
aws_secret_access_key=response['Credentials']['SecretAccessKey'],
aws_session_token=response['Credentials']['SessionToken']
)
response_s3 = s3.list_buckets()
# Output the bucket names
print('Existing buckets:')
for bucket in response_s3['Buckets']:
print(f' {bucket["Name"]}')
您的用户附加了什么策略?您是否已检查IAM策略及其权限?请确保IAM策略包含:
“s3:GetObject”、“s3:ListBucket”
我可能错了,但您不需要使用响应将获取的凭据设置到s3客户端吗?类似于s3=boto3.client('s3',aws\u access\u key\u id=access\u key,aws\u secret\u access\u key=secret\u key,aws\u session\u token=session\u token,)
well。。您发布的内容无效。。我发现了一些奇怪的东西,如果我将accesskeyid、secretAccesskey、SesstionToken和region导出到bash系统中,就可以列出s3存储桶。变量可以用printenv打印。如果不导出这些变量,则无法使其工作。现在我有另一个问题,如何通过python脚本将变量导出到bash系统中,它根本不起作用。谢谢您的用户附加了哪些策略?您是否已检查IAM策略及其权限?请确保IAM策略包含:“s3:GetObject”、“s3:ListBucket”
我可能错了,但您不需要使用响应将获取的凭据设置到s3客户端吗?类似于s3=boto3.client('s3',aws\u access\u key\u id=access\u key,aws\u secret\u access\u key=secret\u key,aws\u session\u token=session\u token,)
well。。您发布的内容无效。。我发现了一些奇怪的东西,如果我将accesskeyid、secretAccesskey、SesstionToken和region导出到bash系统中,就可以列出s3存储桶。变量可以用printenv打印。如果不导出这些变量,则无法使其工作。现在我有另一个问题,如何通过python脚本将变量导出到bash系统中,它根本不起作用。谢谢