I am trying to get the list of tags in a specific bucket from different AWS accounts. Before the job, I also create a boto3 resource to do another job.
for item in items:
botoSession = boto3.Session(
aws_access_key_id=item['AccessKeyId'],
aws_secret_access_key=item['SecretAccessKey'],
aws_session_token=item['SessionToken'],
region_name=item['regionParm']
)
# Different job (works well)
s3 = botoSession.resource('s3')
bucket = s3.Bucket(f"{item['bucketName']}")
# Get tags job
try:
s3_client = boto3.client('s3')
tags = s3_client.get_bucket_tagging(Bucket=f"{item['bucketName']}")['TagSet']
print(tags)
except Exception as e:
print(e)
The issue is that the code is getting the tag list only for the first item and returns "Access Denied" error for the rest of the items.
An error occurred (AccessDenied) when calling the GetBucketTagging operation: Access Denied
I am guessing that boto session for the first item affects when getting the tag list for the next items. How can I get the tag list of the remaining items without getting access denial?
When you construct the s3 resource, you're actually using the session with the right credentials:
s3 = botoSession.resource('s3')
But when you build the client, you're just using boto3, not the session with the creds:
s3_client = boto3.client('s3')
I think you want to replace that line with s3_client = botoSession.client('s3')
As for why it works for the first item in the list, maybe the first item's bucket is public, or you have some credentials stored on the system that work for that item's bucket?