AWS Lambda, InvalidAccessKeyId, still a problem due to None, v1.14.3

[nitsujri]

Problem

Tickets #1353 and #1361 was hoped to be fixed by #1336 for AWS Lambda/ECS where you can automatically use AWS_SESSION_TOKEN, but for me it does not.

I got help from AWS Support because I was really confused about where the problem was as it initially appeared as if the Execution Role could list buckets but not read into them and only when I hard coded KeyId+Secret did it work (I think that's what #1353 found too).

Using v1.14.3 I get this error from Django: An error occurred (InvalidAccessKeyId) when calling the PutObject operation: The AWS Access Key Id you provided does not exist in our records.

AWS Support provided logs where the Actor has a <null> in it:

Request ID: THSGEJHE4B91AKFA
--------
End Time (UTC): 2024-05-08 09:29:22.857
Time Taken: 6 msecs
Response Code: 403
Error Code: InvalidAccessKeyId
Bucket Owner: 322209459496
Actor: ASIAUWBJOFUUBQ2HYIGM/<null>
Requester: Malformed
--------

This is a working request using boto3.Session().client("s3") directly and ListBuckets.

Request ID: S6V8SYWH8DK9DN9A
--------
End Time (UTC): 2024-05-07 23:44:05.635
Time Taken: 257 msecs
Response Code: 200
Requester Account: 322209459496
Requester Type: IAM ROLE
Actor: ASIAUWBJOFUUNZBIAUC5/AROAUWBJOFUUOI5PKDP3U:CoreAppStageStack-WebsiteLambda
Requester: AROAUWBJOFUUOI5PKDP3U
--------

Hack
My application relies on the default boto3.Session (all S3 Buckets use the same Execution Role). So this hack works great:

class HackS3Storage(S3Storage):
    def _create_session(self):
        import boto3

        return boto3.Session()

Root Issue
It seems like Boto3 sets the credentials terribly for a session if you directly, but only pass AWS_SESSION_TOKEN.

Honestly I'm unsure what the fix is.

Thanks for this great library though!

[jschneier]

Did you see #1399? It added pulling the session_token from the env as well. Does that resolve the issue?

[mstathers]

EDIT: Never mind, it looks like this change is unreleased as of 1.14.3.

@jschneier I just installed 1.14.3 into a fresh venv via pip and storages/backends/s3.py's get_default_settings() is still:

            "security_token": setting(
                "AWS_SESSION_TOKEN", setting("AWS_SECURITY_TOKEN")
            ),

Maybe something went wrong with the release?

[nitsujri]

Did you see #1399? It added pulling the session_token from the env as well. Does that resolve the issue?

Did I not reply to this? So sorry. I tested it the next day and it worked great. Can't wait for the release.

[khamaileon]

I have the same problem with version 1.14.3. My code runs on AWS Lambda and access to S3 is done via an access policy. So Boto doesn't need any config. But from the error message, it looks like a config has been passed.

An error occurred (InvalidAccessKeyId) when calling the PutObject operation: The AWS Access Key Id you provided does not exist in our records.

[khamaileon]

Ok I tried the master version and it's working 🍾

@jschneier, can you release a new version please ? It's a pretty critical bug imho.

[jschneier]

New release is now out.