CloudFront KeyValueStore client API fails with assumed role/STS credentials #3980
Labels
bug
This issue is a confirmed bug.
investigating
This issue is being investigated and/or work is in progress to resolve the issue.
p3
This is a minor priority issue
Describe the bug
Using the
cloudfront-keyvaluestore
client, trying to invoke thedescribe_key_value_store
function when using an assumed role fails with anAuthentication failed
error. Using an access-key-ID and secret-access-key pair of the target-account works without issues. Both the role tested and the direct access key have the same fullAdministratorAccess
permissions.Expected Behavior
Just like for all other AWS services used with boto3 (at least the ones I have ever used), assuming a role should work with the
cloudfront-keyvaluestore
client and operations likeDescribeKeyValueStore
should not fail.Current Behavior
The
describe_key_value_store
operation fails with this error when using an assumed role:Reproduction Steps
The following is a minimal script that reproduces the error. It expects to be invoked with an environment variable
ASSUMED_IAM_ROLE
set to the ARN of the IAM role that should be assumed.The script will print output like this:
If it were to succeed, the output should look like the following. It has never succeeded in any of my tests.
Possible Solution
No response
Additional Information/Context
Interestingly enough, using the aws-cli (
aws-cli/2.15.2 Python/3.11.6 Darwin/22.6.0 exe/x86_64 prompt/off
) works without issues:Here, the
temporary-profile
profile is configured through the~/.aws/credentials
file after invokingaws sts assume-role --role-arn "$ASSUMED_IAM_ROLE" --role-session-name aws-cli
, looking roughly like this:I have looked at debug-output of both boto3 (through
boto3.set_stream_logger("botocore")
) and the aws-cli (using the--debug
CLI flag). One difference I did notice in the output (which might not be the only one, just one I did notice), is that the aws-cli will have output like this:When running the reproducer-script above with debug output enabled, will have similar
botocore.hooks
log-statements, but showing none of theAuthCredentialsProvider
orAuthSigning
output. (Maybe this is expected, since it does not show for the CloudFrontListKeyValueStores
API-call either.)SDK version used
boto3 1.34.4 (botocore 1.34.4)
Environment details (OS name and version, etc.)
macOS 13.6.3, Python 3.12.1
The text was updated successfully, but these errors were encountered: