3

I am using boto3 to connect to AWS-SES for sending mails. Instead of access key, I want to use IAM role to connect.

sts_client = boto3.client('sts')
assumedRoleObject = sts_client.assume_role(
    RoleArn="arn:aws:iam::824214895785:role/my_role_s3",
    RoleSessionName="AssumeRoleSession1"
)

credentials = assumedRoleObject['Credentials']
s3_resource = boto3.resource(
    's3',
    aws_access_key_id = credentials['AccessKeyId'],
    aws_secret_access_key = credentials['SecretAccessKey'],
    aws_session_token = credentials['SessionToken'],
)

But this is giving me an error -

botocore.exceptions.NoCredentialsError: Unable to locate credentials

There is no credentials file on my machine as I do not want to use access key. And the machine has all the permissions for accessing SES. Is there any other setting I need to do?

Traceback -

Traceback (most recent call last):
   File "/opt/python/run/venv/lib/python3.4/site-packages/flask/app.py", line 1612, in full_dispatch_request
     rv = self.dispatch_request()
   File "/opt/python/run/venv/lib/python3.4/site-packages/flask/app.py", line 1598, in dispatch_request
     return self.view_functions[rule.endpoint](**req.view_args)
   File "/opt/python/run/venv/lib/python3.4/site-packages/flask_restplus/api.py", line 313, in wrapper
     resp = resource(*args, **kwargs)
   File "/opt/python/run/venv/lib/python3.4/site-packages/flask/views.py", line 84, in view
     return self.dispatch_request(*args, **kwargs)
   File "/opt/python/run/venv/lib/python3.4/site-packages/flask_restplus/resource.py", line 44, in dispatch_request
     resp = meth(*args, **kwargs)
   File "/opt/python/current/app/api/endpoints/task_comms_item.py", line 94, in post
     case_mail_obj.send_mail(final_mail_data)
   File "/opt/python/current/app/tools/mails/create_mail.py", line 88, in send_mail
     super(CreateMail, self).send_mail()
  File "/opt/python/current/app/tools/mails/base.py", line 37, in send_mail
     self.mail_obj.send(self.mail_format)
   File "/opt/python/current/app/lib/mail.py", line 154, in send
     ReplyToAddresses=self.mail_dict["reply_to"])
   File "/opt/python/run/venv/lib/python3.4/site-packages/botocore/client.py", line 314, in _api_call
     return self._make_api_call(operation_name, kwargs)
   File "/opt/python/run/venv/lib/python3.4/site-packages/botocore/client.py", line 599, in _make_api_call
     operation_model, request_dict)
   File "/opt/python/run/venv/lib/python3.4/site-packages/botocore/endpoint.py", line 143, in make_request
     return self._send_request(request_dict, operation_model)
   File "/opt/python/run/venv/lib/python3.4/site-packages/botocore/endpoint.py", line 168, in _send_request
     request = self.create_request(request_dict, operation_model)
   File "/opt/python/run/venv/lib/python3.4/site-packages/botocore/endpoint.py", line 152, in create_request
     operation_name=operation_model.name)
   File "/opt/python/run/venv/lib/python3.4/site-packages/botocore/hooks.py", line 227, in emit
    return self._emit(event_name, kwargs)
   File "/opt/python/run/venv/lib/python3.4/site-packages/botocore/hooks.py", line 210, in _emit
     response = handler(**kwargs)
   File "/opt/python/run/venv/lib/python3.4/site-packages/botocore/signers.py", line 90, in handler
     return self.sign(operation_name, request)
   File "/opt/python/run/venv/lib/python3.4/site-packages/botocore/signers.py", line 154, in sign
     auth.add_auth(request)
   File "/opt/python/run/venv/lib/python3.4/site-packages/botocore/auth.py", line 352, in add_auth
     raise NoCredentialsError
 botocore.exceptions.NoCredentialsError: Unable to locate credentials
Shashank
  • 584
  • 5
  • 16
  • Can you produce the full traceback? – sytech Jan 17 '18 at 09:06
  • Added traceback – Shashank Jan 17 '18 at 09:10
  • 1
    You need to authenticate to the sts client. You can't just access it without any sort of credentials and only the ARN and role name.... You can provide the credentials in code or by environment variables. But if you're just sending emails, the best way to do this is to get SMTP credentials from SES and configure your app like you would with any other mail client. – sytech Jan 17 '18 at 09:14
  • @sytech - You mean to say while calling boto3.client('sts') method? – Shashank Jan 17 '18 at 09:17

1 Answers1

1

According to docs, in this case you need to set environment variables (default Session object reads credentials from env vars):

http://boto3.readthedocs.io/en/latest/guide/configuration.html#environment-variable-configuration

How to set environment variables in Python

import os
os.environ['aws_access_key_id'] = credentials['AccessKeyId']
os.environ['aws_secret_access_key'] = credentials['SecretAccessKey']
os.environ['aws_session_token'] = credentials['SessionToken']
Andrii Muzalevskyi
  • 3,261
  • 16
  • 20