Boto3 InvalidAccessKeyId in generate_presigned_post

Question

I'm creating an AWS Lambda and API using Python's Chalice library. My AWS Credentials are injected using github workflow aws-actions and its able to chalice deploy. The endpoints are working and it's deploying perfectly to AWS.

The problem is:

I use Boto3 to create a presigned upload form using its function generate_presigned_post located in docs here: https://boto3.amazonaws.com/v1/documentation/api/latest/guide/s3-presigned-urls.html

But when I use the response from that function and generate an html with it, after submitting the files to upload, it returns me

<Error>
<Code>InvalidAccessKeyId</Code>
<Message>
The AWS Access Key Id you provided does not exist in our records.
</Message>

I checked everything and it seems it's using wrong AWS_ACCESS_KEY but if it's deploying to AWS perfectly, I figured it isn't the issue (at least for now). I use boto3 client and it seems to locate aws credentials automatically but it seems that it does not locate mine (or whatever is happening) and provides a wrong AWS_ACCESS_KEY.

import boto3

S3_CLIENT = boto3.client('s3')
BUCKET = 'bucket_name'

response = S3_CLIENT.generate_presigned_post(
            BUCKET,
            Key="{$filename}",
            Fields=None,
            Conditions=None,
            ExpiresIn=3600
        )

It returns correct response but when integrated with a form and used, the form returns the error.

*"I use Boto3 to create a presigned upload form using its function generate_presigned_post..."* You will need to show us that part of your code. Please edit the question. — Michael - sqlbot, Apr 02 '20 at 09:41
The invalid AWS Access Key Id is actually shown in the error, right? Does it begin with `AKIA` or `ASIA`? Do you recognize this key from anywhere? — Michael - sqlbot, Apr 03 '20 at 02:55
The key starts with ASIA. I checked my IAM Users' access keys and nobody has the key starting with ASIA. — Juliuz Christian Llanillo, Apr 03 '20 at 03:53
The credentials are injected within the github-actions workflow yaml file, I don't know why is it using a different key. — Juliuz Christian Llanillo, Apr 03 '20 at 04:00
@Michael-sqlbot the key shouldn't be recognised from anywhere they are temporary credentials, no? — kev, Mar 27 '21 at 06:43

Coin Graham · Answer 1 · 2023-01-04T19:08:22.543

This is actually a little bit more complicated than it seems because of the nature of lambda and temporary keys. Suffice to say you should follow these steps:

Create an IAM role with permissions to generate presigned urls for the bucket in question.
Take a lambda basic execution role and add permissions for that role to assume the role in step 1.

In your boto3 code, add a step to assume the role in step 1 before generating the signed url. Something like this:

import boto3

sts_client = boto3.client('sts')

assumed_role_object = sts_client.assume_role(
    RoleArn='arn_of_role_to_assume'
)

credentials = assumed_role_object['Credentials']

s3_client = boto3.client(
    's3',
    aws_access_key_id=credentials['AccessKeyId'],
    aws_secret_access_key=credentials['SecretAccessKey'],
    aws_session_token=credentials['SessionToken'],
)

s3_client.generate_presigned_url......

Boto3 InvalidAccessKeyId in generate_presigned_post

1 Answers1

Linked