I have a script that pulls a lot of metrics from Cloudwatch for our own internal reports.
The script iterates all of the EC2 instances in a specific region and ask for 5 cloudwatch metrics (all the statistics available) for the past 2 weeks (each time 5 days back in 5 minutes interval which is exactly the 1440 quota). I'm using an assumed session:
session = Session(aws_access_key_id=AWS_ACCESS_KEY_ID, aws_secret_access_key=AWS_SECRET_ACCESS_KEY, region_name=regionName) sts = session.client('sts') response = sts.assume_role( RoleArn=arn, # External role arn RoleSessionName='role-name', ExternalId='<some-id-here>', ) tempAccessKeyId = response['Credentials']['AccessKeyId'] tempSecretAccessKey = response['Credentials']['SecretAccessKey'] tempSessionToken = response['Credentials']['SessionToken'] assumedSession = Session( aws_access_key_id=tempAccessKeyId, aws_secret_access_key=tempSecretAccessKey, aws_session_token=tempSessionToken, region_name=regionName)
While running the script I got this exception:
botocore.exceptions.ClientError: An error occurred (ExpiredToken) when calling the GetMetricStatistics operation: The security token included in the request is expired
Is there a way to make sure the token doesn't expire while running the script? I'm using boto3.
The error "the Security Token included in the Request in Invalid" can occur for multiple reasons: The user's credentials are inactive. Open the IAM console, click on the user, and in the Security Credentials tab, make sure the security credentials of the user are active.
If you experience an error message that states "Token Expired", this is letting you know the system has timed out and will need to be refreshed.
For security reasons, a token for an AWS account root user is restricted to a duration of one hour. GetSessionToken returns temporary security credentials consisting of a session token, an access key ID, and a secret access key.
The value is either the serial number for a hardware device (such as GAHT12345678 ) or an Amazon Resource Name (ARN) for a virtual device (such as arn:aws:iam::123456789012:mfa/user ). You can find the device for an IAM user by going to the AWS Management Console and viewing the user's security credentials.
The assume_role method you are using returns temporary security credentials. The following is taken from the official documentation:
The temporary security credentials are valid for the duration that you specified when calling AssumeRole , which can be from 900 seconds (15 minutes) to 3600 seconds (1 hour). The default is 1 hour.
Since you are not using the DurationSeconds
keyword argument, the returned credentials are valid for the default 1 hour. You must make sure to get new credentials in order to make requests after 1 hour. See the following from the Temporary Security Credentials official documentation:
When (or even before) the temporary security credentials expire, the user can request new credentials, as long as the user requesting them still has permissions to do so.
In my case the issue was that, I had credentials in my .aws/configure
and was trying to configure from that but what I didn't realize is I had another pair of credentials AWS_SESSION_TOKEN
AWS_ACCESS_KEY_ID
AWS_SECRET_ACCESS_KEY
set in environmental variables.
you can do this ( which will remove credentials from environment ).
unset AWS_SESSION_TOKEN AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY
Now you will have only one set of access keys i.e in .aws/configure
and I was able to make connection sucessfully.
aws configure aws sts get-caller-identity
if you are using profile other than default, use --profile
flag in the above command.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With