Home > OS >  Connection to sts.amazonaws.com timed out when calling Python boto3 API from EC2 instance
Connection to sts.amazonaws.com timed out when calling Python boto3 API from EC2 instance

Time:03-09

I am trying to setup some build and deployment servers based on EC2 instances to deploy software to AWS via CloudFormation.

The current setup uses the AWS CLI to deploy CloudFormation templates, and authentication is handled using a credentials profile where the ~/.aws/config file has a profile with:

[profile x]
role_arn = x
credential_source = Ec2InstanceMetadata
region = x

The setup using the AWS CLI appears to be working fine, and can deploy CloudFormation templates, upload files to S3 etc.

I wanted to automate this further and use a configuration-based approach to allow for more flexibility in our deployments. To achieve this, I have written some Python code to parse a config file and use the Boto3 library (which the AWS CLI also uses) to replicate the functionality. However when I am trying to do similar things in Boto3 (like deploy CloudFormation and upload files to S3), I get the following error: Connection to sts.amazonaws.com timed out. Unfortunately I can't provide the full stack trace since it's on a separate network. I am running Python 3.7 and boto3-1.21-13, botocore-1.24.13.

I assume it might be because I need to setup a VPC endpoint for STS? However, I can't work out why and how the AWS CLI works fine, but Boto3 doesn't. Especially since AWS CLI uses Boto3 under the hood.

In addition, I have confirmed that I can retrieve instance metadata using curl from the EC2 instances. To reproduce the error, this command fails for me:

python -c "import boto3;print(boto3.Session(profile_name='x').client('s3').list_objects('bucket')"

However this AWS cli command works:

aws --profile x s3 ls bucket

I guess I don't understand why the AWS CLI command works, when the boto3 command fails. Why does boto3 needs to call the sts.amazonaws.com endpoint, when the AWS CLI seemingly doesn't? What am I missing?

CodePudding user response:

The aws cli and boto3 both use botocore, which is only a minor detail. Nevertheless, both the cli and boto3, when run in the same environment with the same access to the credentials, should indeed be able to reach the same endpoint.

This:

aws sts get-caller-identity --profile x

and:

python -c "import boto3;print(boto3.Session(profile_name='x').client('sts').get_caller_identity())"

are equivalent and should make the same api calls to the same endpoint.

As an aside, I find it is often best not to have your code concerned with session handling at all. It seems most simple to me for the code to expect the environment to handle that. So just export AWS_PROFILE and run the code. This prevents other user of the script from having to have the same profile and name it the same.

CodePudding user response:

Yeah so it turns out I just needed to set/export AWS_STS_REGIONAL_ENDPOINTS='regional'.

After many hours of trawling the botocore and awscli source and logs, I found out that botocore sets it by default to 'legacy'. Where as in v2 of the AWS CLI, they set it to 'regional'.

Page link:https//www.codepudding.com/os/327822.html

Prev:Resources ARN from CF template using Boto3
Next:Unable to run docker container
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding