0

I am creating an Athena client using the code listed below -

client = boto3.client('athena',aws_access_key_id='<access key id>',aws_secret_access_key='<secret access key>',region_name='us-east-1')

Then I am using this client to query Athena -

response = client.start_query_execution(QueryString=query_string,QueryExecutionContext={'Database': database},WorkGroup=workgroup)

I see the below error. Can you please let me know what I may be missing?

botocore.exceptions.ClientError: An error occurred (UnrecognizedClientException) when calling the StartQueryExecution operation: The security token included in the request is invalid.

Punter Vicky
  • 15,954
  • 56
  • 188
  • 315
  • Are you sure credentials are valid?. Are they working fine with other services using boto3?. Check whether credentials belong to the region where you are querying. – Imran Jul 15 '19 at 01:29
  • @Imran , is there a way to check the roles associated with the credentials? – Punter Vicky Jul 15 '19 at 01:30
  • You could use sts get-caller-identity (https://docs.aws.amazon.com/cli/latest/reference/sts/get-caller-identity.html). You could also check out https://stackoverflow.com/questions/31836816/how-to-test-credentials-for-aws-command-line-tools/42241040#42241040 for other approaches. – Martin Löper Jul 15 '19 at 01:51
  • Finally, there is the IAM policy simulator: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_testing-policies.html – Martin Löper Jul 15 '19 at 01:51
  • 1
    Using AWS CLI. You can try `aws iam get-user`(uses default credentials) which gives `UserName` and with it you can get the policies attached to the specific user. Ex - `aws iam list-user-policies --user-name myuser` . If you want to use `boto3` then [here](https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/iam.html#IAM.Client.get_user) & [here](https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/iam.html#IAM.Client.list_attached_user_policies) are methods you can try with IAM service. – Imran Jul 15 '19 at 01:52
  • @MartinLöper beat me to it :) so you can check the links shared by him as well. – Imran Jul 15 '19 at 01:53
  • @Imran I just have the access key id and secret access key my case. – Punter Vicky Jul 15 '19 at 01:53
  • @PunterVicky if you save the [credentials](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html) in local based on your OS, you don't have to pass them in boto3 client method and even CLI will uses local store by default. If you don't want to save them, try initiating boto3 `client` for `iam` service and calling above boto3 methods I gave.(Assuming your credentials have access to use `IAM` service or you will need to reach out to your admin for help). – Imran Jul 15 '19 at 01:59
  • @Imran MartinLöper thank you..... – Punter Vicky Jul 15 '19 at 02:01

1 Answers1

3

Could you check your aws keys detail ?. Error indicates that aws keys are invalid.

sivakumar
  • 66
  • 2