'Determine IAM principal that was denied access
I'm helping a colleague troubleshoot an S3 put "access denied" error when he uses a Python library that internally calls boto3. To simplify the troubleshooting process I'd like to know which IAM principal is getting denied. It's not the instance's IAM role because that role has full S3 access, so I'm trying to consider other possibilities.
Normally if I were to call the boto3 code directly I wouldn't have this question because I would either 1) need to be explicit about the principal or 2) boto3 would check for the presence of an environment variable such as AWS_ACCESS_KEY_ID, and if that wasn't set AWS would fall back to the EC2 instance's associated role / default profile (please correct me if I am wrong about this order of precedence).
How can I determine the denied principal used by a third party library other than by diving into the library's source code?
amazon-web-services
amazon-s3Solution 1:[1]
You can use this code to identify which credentials are being used:
import boto3
sts_client = boto3.client('sts')
response = sts_client.get_caller_identity()
print(response['Arn'])
It will show an ARN like: arn:aws:iam::123456789012:user/User-Name
If you run it from an EC2 instance it would show an ARN like: arn:aws:sts::123456789012:assumed-role/Role-Name/i-1234abcd
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | John Rotenstein |