Search code examples
amazon-web-servicesboto3

The security token included in the request is expired

I have a script that pulls a lot of metrics from Cloudwatch for our own internal reports.

The script iterates all of the EC2 instances in a specific region and ask for 5 cloudwatch metrics (all the statistics available) for the past 2 weeks (each time 5 days back in 5 minutes interval which is exactly the 1440 quota). I'm using an assumed session:

session = Session(aws_access_key_id=AWS_ACCESS_KEY_ID, aws_secret_access_key=AWS_SECRET_ACCESS_KEY, region_name=regionName)
sts = session.client('sts')
response = sts.assume_role(
    RoleArn=arn, # External role arn
    RoleSessionName='role-name',
    ExternalId='<some-id-here>',
)
tempAccessKeyId = response['Credentials']['AccessKeyId']
tempSecretAccessKey = response['Credentials']['SecretAccessKey']
tempSessionToken = response['Credentials']['SessionToken']
assumedSession = Session(
    aws_access_key_id=tempAccessKeyId,
    aws_secret_access_key=tempSecretAccessKey,
    aws_session_token=tempSessionToken,
    region_name=regionName)

While running the script I got this exception: 

botocore.exceptions.ClientError: An error occurred (ExpiredToken) when calling the GetMetricStatistics operation: The security token included in the request is expired

Is there a way to make sure the token doesn't expire while running the script? I'm using boto3.

Solution

  • The assume_role method you are using returns temporary security credentials. The following is taken from the official documentation:

    The temporary security credentials are valid for the duration that you specified when calling AssumeRole , which can be from 900 seconds (15 minutes) to 3600 seconds (1 hour). The default is 1 hour.

    Since you are not using the DurationSeconds keyword argument, the returned credentials are valid for the default 1 hour. You must make sure to get new credentials in order to make requests after 1 hour. See the following from the Temporary Security Credentials official documentation:

    When (or even before) the temporary security credentials expire, the user can request new credentials, as long as the user requesting them still has permissions to do so.