boto3 not caching STS MFA sessions
See original GitHub issueEither there’s something borked in my environment or this functionality is broken. It appears it worked at one point according to the blog I followed:
What I’d like to do is run my script, enter the MFA. Then be able to run it again without entering MFA making use of cached session token.
The samples I’ve seen are:
session = boto3.Session(profile_name='w2-cf3')
ec2_client = session.client('ec2',region_name='us-west-2')
I’m then prompted for my mfa:
Enter MFA code:
I enter it and my code runs. At this point, my session token should be cached, that’s how it works in awscli. However, on the second run, instead of reading in my cached session for this profile, boto3 disregards and prompts me again for my MFA:
Enter MFA code:
Here’s what my ~/.aws/config file looks like:
[profile default]
region = us-west-2
output = json
[profile w2-cf3]
region = us-west-2
source_profile = default
role_arn = arn:aws:iam::<accountid>:role/<role>
mfa_serial = arn:aws:iam::<accountid>:mfa/<user>
Here’s what my ~/.aws/credentials file looks like:
[default]
aws_access_key_id=<access key>
aws_secret_access_key=<secret key>
Expected: I expected the second time I run my script is would make use of the cached session token like it does in awscli. The session token provided by AWS lasts 1 hour.
Issue Analytics
- State:
- Created 6 years ago
- Reactions:9
- Comments:5 (1 by maintainers)
Top GitHub Comments
You can accomplish boto3 sts cache persistence across script executions by instantiating a client that uses the cli cache instead of the default boto cache. See below example. Credit goes to mixja.
boto3_session_cache.py
my_script.py
⚠️COMMENT VISIBILITY WARNING⚠️
Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.