Skip to content Skip to sidebar Skip to footer

Boto3 Uses Old Credentials

I am using tkinter to create gui application that returns the security groups. Currently if you want to change your credentials (e.g. if you accidentally entered the wrong ones) yo

Solution 1:

You need boto3.session.Session to overwrite the access credentials.

Just do this reference http://boto3.readthedocs.io/en/latest/reference/core/session.html

import boto3

# Assign you own access 
mysession = boto3.session.Session(aws_access_key_id='foo1', aws_secret_access_key='bar1')

# If you want to use different profile call foobar inside .aws/credentials
mysession = boto3.session.Session(profile_name="fooboar")

# Afterwards, just declare your AWS client/resource services    
sqs_resource=mysession.resource("sqs")

# or client 
s3_client=mysession.client("s3")

Basically, little change to your code. you just pass in the session instead of direct boto3.client/boto3.resource

self.sts_client = mysession.client('sts')

Solution 2:

Sure, just create different sessions from botocore.session.Session object for each set of credentials:

import boto3
s1 = boto3.session.Session(aws_access_key_id='foo1', aws_secret_access_key='bar1')
s2 = boto3.session.Session(aws_access_key_id='foo2', aws_secret_access_key='bar2')

Also you can leverage set_credentials method to keep 1 session an change creds on the fly:

import botocore
session - botocore.session.Session()

session.set_credentials('foo', 'bar')
client = session.create_client('s3')
client._request_signer._credentials.access_key
u'foo'

session.set_credentials('foo1', 'bar')
client = session.create_client('s3')
client._request_signer._credentials.access_key
u'foo1'

Solution 3:

The answers given by @mootmoot and @Vor clearly state the way of dealing with multiple credentials using a session.

@Vor's answer

import boto3
s1 = boto3.session.Session(aws_access_key_id='foo1', aws_secret_access_key='bar1')
s2 = boto3.session.Session(aws_access_key_id='foo2', aws_secret_access_key='bar2')

But some of you would be curious about why does the boto3 client or resource behave in that manner in the first place?

Let's clear out a few points about Session and Client as they'll actually lead us to the answer to the aforementioned question.

Session

  • A 'Session' stores configuration state and allows you to create service clients and resources

Client

  • if the credentials are not passed explicitly as arguments to the boto3.client method, then the credentials configured for the session will automatically be used. You only need to provide credentials as arguments if you want to override the credentials used for this specific client

Now let's get to the code and see what actually happens when you call boto3.client()

def client(*args, **kwargs):
    return _get_default_session().client(*args, **kwargs)

def _get_default_session():
    if DEFAULT_SESSION is None:
        setup_default_session()
    return DEFAULT_SESSION

def setup_default_session(**kwargs):
    DEFAULT_SESSION = Session(**kwargs)

Learnings from the above

  1. The function boto3.client() is really just a proxy for the boto3.Session.client() method
  2. If you once use the client, the DEFAULT_SESSION is set up and for the next consecutive creation of clients it'll keep using the DEFAULT_SESSION
  3. The credentials configured for the DEFAULT_SESSION are used if the credentials are not explicitly passed as arguments while creating the boto3 client.

Answer

  • The first call to boto3.client() sets up the DEFAULT_SESSION and configures the session with the oldCredsAccessKey, oldCredsSecretKey, the already set values for env variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACESS_KEY respectively.

  • So even if you set new values of credentials in the environment, i.e do this

os.environ['AWS_ACCESS_KEY_ID'] = newCredsAccessKey
os.environ['AWS_SECRET_ACCESS_KEY'] = newCredsSecretKey
  • The upcoming boto3.client() calls still pick up the old credentials configured for the DEFAULT_SESSION

NOTE

  • boto3.client() call in this whole answer means that no arguments passed to the client method.

References


Post a Comment for "Boto3 Uses Old Credentials"