使用 boto3 与数据库建立连接时无法找到凭据答案

【问题标题】：unable to loacte credentials while make a connection with DB using boto3使用 boto3 与数据库建立连接时无法找到凭据
【发布时间】：2020-05-19 15:48:31
【问题描述】：

我想连接到我的数据库并想检索数据。我目前正在使用 AWS amazon linux2 实例。我用boto3连接的。

def db_conn():
    secret_id = 'XXXXXXXXXXXXXXXX'
    try:
        client = boto3.client('secretsmanager',region_name="ap-southeast-2")
        get_secret_value_response = client.get_secret_value(SecretId=secret_id)
    except Exception as e:
        raise e
    else:
        if 'SecretString' in get_secret_value_response:
            Secret_Json = json.loads(get_secret_value_response['SecretString'])
    if Secret_Json is None:
        print("secret string is null")
        exit()
    driver = 'postgresql+psycopg2://'
    db_user = Secret_Json['username']
    db_pw = Secret_Json['password']
    db_address_port_db = Secret_Json['host'] + \
                         ':' + \
                         str(Secret_Json['port']) + \
                         '/' + \
                         Secret_Json['dbInstanceIdentifier']
    application.config['SQLALCHEMY_TRACK_MODIFICATIONS'] = False
    application.config['SQLALCHEMY_DATABASE_URI'] = driver + db_user + ':' + db_pw + '@' + db_address_port_db
    db = SQLAlchemy(application)
    return db

我遇到一个错误，提示找不到凭据

Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/local/lib/python3.7/site-packages/botocore/client.py", line 316, in _api_call
    return self._make_api_call(operation_name, kwargs)
  File "/usr/local/lib/python3.7/site-packages/botocore/client.py", line 622, in _make_api_call
    operation_model, request_dict, request_context)
  File "/usr/local/lib/python3.7/site-packages/botocore/client.py", line 641, in _make_request
    return self._endpoint.make_request(operation_model, request_dict)
  File "/usr/local/lib/python3.7/site-packages/botocore/endpoint.py", line 102, in make_request
    return self._send_request(request_dict, operation_model)
  File "/usr/local/lib/python3.7/site-packages/botocore/endpoint.py", line 132, in _send_request
    request = self.create_request(request_dict, operation_model)
  File "/usr/local/lib/python3.7/site-packages/botocore/endpoint.py", line 116, in create_request
    operation_name=operation_model.name)
  File "/usr/local/lib/python3.7/site-packages/botocore/hooks.py", line 356, in emit
    return self._emitter.emit(aliased_event_name, **kwargs)
  File "/usr/local/lib/python3.7/site-packages/botocore/hooks.py", line 228, in emit
    return self._emit(event_name, kwargs)
  File "/usr/local/lib/python3.7/site-packages/botocore/hooks.py", line 211, in _emit
    response = handler(**kwargs)
  File "/usr/local/lib/python3.7/site-packages/botocore/signers.py", line 90, in handler
    return self.sign(operation_name, request)
  File "/usr/local/lib/python3.7/site-packages/botocore/signers.py", line 160, in sign
    auth.add_auth(request)
  File "/usr/local/lib/python3.7/site-packages/botocore/auth.py", line 357, in add_auth
    raise NoCredentialsError
botocore.exceptions.NoCredentialsError: Unable to locate credentials

请帮我解决这个问题？

【问题讨论】：

IAM 用户，您希望如何连接到 AWS IAM 角色？
您通常会将 IAM 角色分配给 Amazon EC2 实例。 boto3 将自动使用 IAM 角色通过 EC2 实例元数据获取凭证。

标签： python-3.x amazon-web-services amazon-ec2 boto3

【解决方案1】：

您必须为具有所需权限的实例分配 IAM 角色：

Boto3 将使用该角色的权限来访问您的资源，例如 Secrets Manager。

角色可以包括，例如，从Secrets Manager 读取的内联策略：

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "secretsmanager:GetSecretValue",
            "Resource": "<arn-of-your-sercert>"
        }
    ]
}

如果您使用 KMS 加密您的密钥，则可能还需要 KMS 权限。

【讨论】：