Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Access aws dynamodb using boto3 when MFA has been set. Getting ClientError

Tags:

amazon-web-services

amazon-dynamodb

Previously when I did not set MFA to login to AWS console I've connected to dynamodb by

dynamo = boto3.resource('dynamodb',
                        region_name='ap-northeast-2',
                        endpoint_url='http://dynamodb.ap-northeast-2.amazonaws.com')
table = dynamo.Table('tablename')

and querying to that table was perfectly fine.

response = table.query(
    KeyConditionExpression =Key("user_id").eq(123123)
)

After I've set MFA for additional security to login to AWS console and now when I execute above code I get:

ClientError: An error occurred (UnrecognizedClientException) when calling the Query operation: The security token included in the request is invalid.

I use tunnel for RDB, is there something like that I could use for connecting to dynamodb or is there a permission I need in order to access dynamodb?

like image 593
haneulkim Avatar asked Feb 27 '26 11:02

haneulkim

1 Answers

When you enable MFA, SDK does not automatically know how to work with it. Your regular IAM user's API and SECRET keys are no longer enough. Instead you need to use temporary credentials created only for your MFA session.

To make MFA work with boto3 you have to explicitly call get_session_token:

MFA-enabled IAM users would need to call GetSessionToken and submit an MFA code that is associated with their MFA device. Using the temporary security credentials that are returned from the call, IAM users can then make programmatic calls to API operations that require MFA authentication.

Using get_session_token you can call sts service which is going to provide you with temporary credentials based on your MFA details:

sts = boto3.client('sts')

mfa_response = sts.get_session_token(
    DurationSeconds=123,
    SerialNumber='string',
    TokenCode='string'
)

The call will return the credentials in mfa_response which you can use to create a new boto3 session. For example:

mfa_session = boto3.session.Session(
      aws_access_key_id=mfa_session['Credentials']['AccessKeyId'], 
      aws_secret_access_key=mfa_session['Credentials']['SecretAccessKey'], 
      aws_session_token=mfa_session['Credentials']['SessionToken'])

dynamo = mfa_session.resource('dynamodb', ...)

# and the rest of the code
like image 171
Marcin Avatar answered Mar 02 '26 05:03

Marcin
Sign in to Comment

Related questions

Kubernetes DNS fails to resolve most of the times but sometimes it works. What can i do to solve this?
Callbacks not called in amazon in app billing
How to use existing docker-compose.yml file in AWS Elastic Container Service?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!