Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

boto3 not caching STS MFA sessions

See original GitHub issue

Either there’s something borked in my environment or this functionality is broken. It appears it worked at one point according to the blog I followed:

What I’d like to do is run my script, enter the MFA. Then be able to run it again without entering MFA making use of cached session token.

The samples I’ve seen are:

session = boto3.Session(profile_name='w2-cf3')
ec2_client = session.client('ec2',region_name='us-west-2')

I’m then prompted for my mfa:

Enter MFA code:

I enter it and my code runs. At this point, my session token should be cached, that’s how it works in awscli. However, on the second run, instead of reading in my cached session for this profile, boto3 disregards and prompts me again for my MFA:

Enter MFA code:

Here’s what my ~/.aws/config file looks like:

[profile default]
region = us-west-2
output = json

[profile w2-cf3]
region = us-west-2
source_profile = default
role_arn = arn:aws:iam::<accountid>:role/<role>
mfa_serial = arn:aws:iam::<accountid>:mfa/<user>

Here’s what my ~/.aws/credentials file looks like:

[default]
aws_access_key_id=<access key>
aws_secret_access_key=<secret key>

Expected: I expected the second time I run my script is would make use of the cached session token like it does in awscli. The session token provided by AWS lasts 1 hour.

Issue Analytics

State:
Created 6 years ago
Reactions:9
Comments:5 (1 by maintainers)

Top GitHub Comments

3reactions

igoralveslimacommented, Dec 31, 2019

You can accomplish boto3 sts cache persistence across script executions by instantiating a client that uses the cli cache instead of the default boto cache. See below example. Credit goes to mixja.

boto3_session_cache.py

import os

import boto3
import botocore.session
from botocore import credentials

# By default the cache path is ~/.aws/boto/cache
cli_cache = os.path.join(os.path.expanduser('~'), '.aws/cli/cache')

# Construct botocore session with cache
session = botocore.session.get_session()
session.get_component('credential_provider').get_provider('assume-role').cache = credentials.JSONFileCache(cli_cache)


# Create boto3 client from session
def boto3_client(service_name):
    return boto3.Session(botocore_session=session).client(service_name)

my_script.py

from boto3_session_cache import boto3_client
ec2 = boto3_client(service_name='ec2')
response = ec2.describe_instances()
print(response)

0reactions

github-actions[bot]commented, Mar 10, 2022

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.

Top Results From Across the Web

Sagemaker session not caching MFA token - Stack Overflow

I'm creating a boto session, then assuming the sandbox role and using the new credentials to create a sagemaker client. my_session = boto3....

Credentials — Boto3 Docs 1.26.33 documentation - AWS

This means that temporary credentials from the AssumeRole calls are only cached in-memory within a single session. All clients created from that session...

Requesting temporary security credentials - AWS Identity and ...

The AWS STS API operations create a new session with temporary security credentials that include an access key pair and a session token....

STS — boto v2.49.0

boto.sts.credentials¶ ... Create and return a new Session Token based on the contents of a JSON document. ... Checks to see if the...

Ben Kehoe on Twitter: "boto3 doesn't cache clients and ...

boto3 doesn't cache clients and resources, either on Sessions or using the module-level functions (which just delegate to a default Session) ...