我正在使用一个 CLI 工具(来自 apache spark),它下面使用 boto。虽然我已经确认
AWS_ACCESS_KEY
AWS_SECRET_KEY
是正确的(通过执行ec2-describe-regions
)授权仍然失败:
ec2/spark-ec2 -k mykey --copy -s 5 -i ~/.ssh/mykey.pem -t c3.2xlarge
-z us-east-1a -r us-east-1 launch mycluster
注意堆栈跟踪后的最终错误:
<Response><Errors><Error><Code>AuthFailure</Code><Message>AWS was not able to
validate the provided access credentials</Message></Error></Errors>
以下是完整输出:
Setting up security groups...
ERROR:boto:401 Unauthorized
ERROR:boto:<?xml version="1.0" encoding="UTF-8"?>
<Response><Errors><Error><Code>AuthFailure</Code><Message>AWS was not able to validate the provided access credentials</Message></Error></Errors><RequestID>f960cab0-bfe6-4939-913c-5fbc0bf8662f</RequestID></Response>
Traceback (most recent call last):
File "ec2/spark_ec2.py", line 1509, in <module>
main()
File "ec2/spark_ec2.py", line 1501, in main
real_main()
File "ec2/spark_ec2.py", line 1330, in real_main
(master_nodes, slave_nodes) = launch_cluster(conn, opts, cluster_name)
File "ec2/spark_ec2.py", line 482, in launch_cluster
master_group = get_or_make_group(conn, cluster_name + "-master", opts.vpc_id)
File "ec2/spark_ec2.py", line 343, in get_or_make_group
groups = conn.get_all_security_groups()
File "/shared/sparkup2/ec2/lib/boto-2.34.0/boto/ec2/connection.py", line 2969, in get_all_security_groups
[('item', SecurityGroup)], verb='POST')
File "/shared/sparkup2/ec2/lib/boto-2.34.0/boto/connection.py", line 1182, in get_list
raise self.ResponseError(response.status, response.reason, body)
boto.exception.EC2ResponseError: EC2ResponseError: 401 Unauthorized
<?xml version="1.0" encoding="UTF-8"?>
<Response><Errors><Error><Code>AuthFailure</Code><Message>AWS was not able to
validate the provided access credentials</Message></Error></Errors>
答案1
遇到了类似的问题并决定将其作为答案发布,因为这可能会对其他人有所帮助(来自谷歌):
确保您的机器上的时间设置正确。
我的机器时间比实际时间快了约 8 分钟,这导致了上述 401 错误。
如果您使用的是 Linux,您可以执行以下操作进行同步:
sudo ntpdate us.pool.ntp.org
答案2
天啊。有一个 $HOME/.boto 文件保存旧的身份验证值。一天中的大部分时间都因此而浪费了!!
cat ~/.boto
[Credentials]
aws_access_key_id=MY*OLD*ACCESS*KEY
aws_secret_access_key=MY*OLD_SECRET*ACCESS*KEY
答案3
对我来说,原因不同。我使用的是临时 AWS 凭证,由 AWS_ACCESS_KEY、AWS_SECRET_KEY 和 AWS_SESSION_TOKEN 组成。启用 boto debug 后boto.set_stream_logger('boto')
,我注意到只有 AWS_ACCESS_KEY 和 AWS_SECRET_KEY 从 env 加载,而 AWS_SESSION_TOKEN 没有加载。检查代码似乎证实了这一点:
https://github.com/clari/clari_dynamo/blob/master/boto/boto/provider.py#L307
对我有用的是在设置 ec2 连接时明确传递令牌:
ec2.connect_to_region(region, security_token=os.environ.get('AWS_SESSION_TOKEN', None))