0

Through boto3 library, I uploaded and downloaded file from AWS s3 successfully. But after few hours, it shows InvalidAccessKeyId suddenly for the same code.

What I have done:

  • set ~/.aws/credentials
  • Set environment variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY

I tried the following solutions, but the error still heppens.

adding quotes on config values

ref2

Do I miss anything? Thanks for your help.

Jun
  • 1,012
  • 9
  • 27
  • From where did you obtain the credentials? Are they associated with an IAM user, or were they generated as _temporary credentials_? – John Rotenstein Aug 29 '18 at 10:41
  • Are you running the code on an Amazon EC2 instance? If so, is there an IAM Role attached to the instance? – John Rotenstein Aug 29 '18 at 10:43
  • Thanks for your reply. The credentials is associated with an IAM user. I believe it's not a temporary credential according to an article on SO (but I cannot found it right now), which tells AKIA prefix isn't and mine is also AKIA prefix. I an running the code on local (dev) and heroku (production) separately. – Jun Aug 29 '18 at 12:07

3 Answers3

1

If you have the credentials in ~/.aws/credentials there is no need to set environment variables AWS_ACCESS_KEY_ID & AWS_SECRET_ACCESS_KEY.

Environment variables are valid only for a session.

If you are using boto3, you can specify the credentials while creating client itself.

The best way to configure AWS credential is to install the AWS Command-Line Interface (CLI) and run aws configure from the bash console:

~/.aws/credentials format

[default]
aws_access_key_id = ***********
aws_secret_access_key = ************
John Rotenstein
  • 165,783
  • 13
  • 223
  • 298
Akhil KM
  • 89
  • 8
  • Thank you, and that's what I did. I run `aws configure` at the first. And I set environment variables for trouble shooting. – Jun Aug 29 '18 at 12:07
  • It should work if you have the correct credentials in "aws configure". Please check your system date, time and time-zone. – Akhil KM Aug 29 '18 at 12:24
1

You do not need to configure both .aws/credentials AND environment variables.

From Credentials — Boto 3 documentation:

The order in which Boto3 searches for credentials is:

  • Passing credentials as parameters in the boto.client() method
  • Passing credentials as parameters when creating a Session object
  • Environment variables
  • Shared credential file (~/.aws/credentials)
  • AWS config file (~/.aws/config)
  • Assume Role provider
  • Boto2 config file (/etc/boto.cfg and ~/.boto)
  • Instance metadata service on an Amazon EC2 instance that has an IAM role configured.

The fact that your credentials stopped working after a period of time suggests that they were temporary credentials created via the AWS Security Token Service, with an expiry time.

John Rotenstein
  • 165,783
  • 13
  • 223
  • 298
0

I found this article for the same issue. Amazon suggests to generate new key, and I did. Then it works, but we don't know the root cause. Suggest to do so for saving a lot of time when having the same problem.

Jun
  • 1,012
  • 9
  • 27