Boto3 Uses Old Credentials
Solution 1:
You need boto3.session.Session to overwrite the access credentials.
Just do this reference http://boto3.readthedocs.io/en/latest/reference/core/session.html
import boto3
# Assign you own access
mysession = boto3.session.Session(aws_access_key_id='foo1', aws_secret_access_key='bar1')
# If you want to use different profile call foobar inside .aws/credentials
mysession = boto3.session.Session(profile_name="fooboar")
# Afterwards, just declare your AWS client/resource services
sqs_resource=mysession.resource("sqs")
# or client
s3_client=mysession.client("s3")
Basically, little change to your code. you just pass in the session instead of direct boto3.client/boto3.resource
self.sts_client = mysession.client('sts')
Solution 2:
Sure, just create different sessions from botocore.session.Session object for each set of credentials:
import boto3
s1 = boto3.session.Session(aws_access_key_id='foo1', aws_secret_access_key='bar1')
s2 = boto3.session.Session(aws_access_key_id='foo2', aws_secret_access_key='bar2')
Also you can leverage set_credentials method to keep 1 session an change creds on the fly:
import botocore
session - botocore.session.Session()
session.set_credentials('foo', 'bar')
client = session.create_client('s3')
client._request_signer._credentials.access_key
u'foo'
session.set_credentials('foo1', 'bar')
client = session.create_client('s3')
client._request_signer._credentials.access_key
u'foo1'
Solution 3:
The answers given by @mootmoot and @Vor clearly state the way of dealing with multiple credentials using a session.
@Vor's answer
import boto3
s1 = boto3.session.Session(aws_access_key_id='foo1', aws_secret_access_key='bar1')
s2 = boto3.session.Session(aws_access_key_id='foo2', aws_secret_access_key='bar2')
But some of you would be curious about why does the boto3 client or resource behave in that manner in the first place?
Let's clear out a few points about Session and Client as they'll actually lead us to the answer to the aforementioned question.
Session
- A 'Session' stores configuration state and allows you to create service clients and resources
Client
- if the credentials are not passed explicitly as arguments to the
boto3.clientmethod, then the credentials configured for the session will automatically be used. You only need to provide credentials as arguments if you want to override the credentials used for this specific client
Now let's get to the code and see what actually happens when you call boto3.client()
def client(*args, **kwargs):
return _get_default_session().client(*args, **kwargs)
def _get_default_session():
if DEFAULT_SESSION is None:
setup_default_session()
return DEFAULT_SESSION
def setup_default_session(**kwargs):
DEFAULT_SESSION = Session(**kwargs)
Learnings from the above
- The function
boto3.client()is really just a proxy for the boto3.Session.client() method - If you once use the client, the
DEFAULT_SESSIONis set up and for the next consecutive creation of clients it'll keep using theDEFAULT_SESSION - The credentials configured for the
DEFAULT_SESSIONare used if the credentials are not explicitly passed as arguments while creating the boto3 client.
Answer
The first call to
boto3.client()sets up theDEFAULT_SESSIONand configures the session with theoldCredsAccessKey,oldCredsSecretKey, the already set values for env variablesAWS_ACCESS_KEY_IDandAWS_SECRET_ACESS_KEYrespectively.So even if you set new values of credentials in the environment, i.e do this
os.environ['AWS_ACCESS_KEY_ID'] = newCredsAccessKey
os.environ['AWS_SECRET_ACCESS_KEY'] = newCredsSecretKey
- The upcoming
boto3.client()calls still pick up the old credentials configured for theDEFAULT_SESSION
NOTE
boto3.client()call in this whole answer means that no arguments passed to the client method.
References
Post a Comment for "Boto3 Uses Old Credentials"