I got a error like this botocore.exceptions.NoCredentialsError: Unable to locate credentials when I was running the following code:
# setup AWS Connection details
awsSession = boto3.Session(profile_name="opsdev")
def getInfoFromDynamoDB(service):
client = awsSession.client('kms')
dynamodb = awsSession.resource('dynamodb')
table = dynamodb.Table('app_info')
response = table.get_item(
Key={
# here is where the eroor comes out as "Unable to locate credentials"
"service": str(service)
}
)
MongodbInfo = getInfoFromDynamoDB('Mongodb')
I have also tried not specify the profile name, but it gives the same error
awsSession = boto3.Session()
So basically in our organization, there is a group called DEV that have the right to query from dynamoDb and I am going to assume myself as DEV role then play with DynamoDB and we use MFA as well.
I have done some researches in the boto documentation and StackOverflow. I think I can't specify keys manually because I have a role to assume and I will be using the assumed role key info as suggested in this post Boto3 Error: botocore.exceptions.NoCredentialsError: Unable to locate credentials
Here is my config file:
[default]
aws_access_key_id = xxxxxxxxxxxxxxxxQQ
aws_secret_access_key = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxGf
[profile opsdev]
output = json
role_arn = arn:aws:iam::123456789123:role/DEV
mfa_serial = arn:aws:iam::123456789123:mfa/abc@def.com
source_profile = default
region = us-east-1
Here is my credentials file
[default]
aws_access_key_id = xxxxxxxxxxxxxxxxQQ
aws_secret_access_key = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxGf
[opsdev]
role_arn = arn:aws:iam::123456789123:role/DEV
mfa_serial = arn:aws:iam::123456789123:mfa/abc@def.com
source_profile = default
region = us-east-1
I have tried not having opsdev profile part in credentials, not working still
When I was invoking a role like this:
aws --profile=role s3 ls --debug
There is no error generated but a list of Bucket names
I tried
$ aws sts assume-role --role-arn arn:aws:iam::709957318545:role/DEV_OperationsDevelopers --role-session-name testAssumeRole
An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:sts::123456789123:assumed-role/DEV/AWS-CLI-session-987654321987 is not authoried to perform: sts:AssumeRole on resource:arn:aws:iam::123456789123:role/DEV
$ aws configure list
Name Value Type Location
---- ----- ---- --------
profile opsdev manual --profile
access_key ****************xxIQ assume-role
secret_key ****************xxf0 assume-role
region us-east-1 config-file ~/.aws/config
$ aws sts get-caller-identity --profile opsdev
Enter MFA code:
{
"Account": "123456789123",
"UserId": "xxxxxxxxxxxxxxxxxxxxxxxx:AWS-CLI-session-987654321",
"Arn": "arn:aws:sts::123456789123:assumed-role/DEV/AWS-CLI-session-987654321"}
And I am pretty sure my identity is able to do the assume role action, because we had a python file that prompts for the MFA code then get a MFA session, then create another session with MFA detail, at last ctreat a new session with STS Client for the assume role. Using this session is able to connect to the DynamoDB.
And help is greatly appreciated.
