When I do this:
session1 = boto3.session.Session(profile_name='my_profile')
iam_client = session1.client('iam')
Given that user='an_existin_iam_user'
, the below succeeds as I can print the accessKeyId and the accessKeySecret successfully.
responseCreateAccessKey = iam_client.create_access_key(UserName=user)
accessKeyId = responseCreateAccessKey.get('AccessKey').get('AccessKeyId')
accessKeySecret = responseCreateAccessKey.get('AccessKey').get('SecretAccessKey')
Hence, I can use the iam_client to create access credentials for other users (given that the my_profile AWS profile holds creds for an admin IAM user)
Now, with the newly created credentials above, I want to create a new IAM user. The below are the things I have tried to achieve this:
Attempt 1
temp_session = boto3.Session(aws_access_key_id=accessKeyId,aws_secret_access_key=accessKeySecret,region_name='ap-southeast-1')
temp_iam_client = temp_session.client('iam')
responseCreateUser = temp_iam_client.create_user(UserName='my-new-user')
Attempt 2
temp_iam_client = boto3.client('iam',aws_access_key_id=accessKeyId,aws_secret_access_key=accessKeySecret,region_name='ap-southeast-1')
responseCreateUser = temp_iam_client.create_user(UserName='my-new-user')
Attempt 3
temp_session = boto3.session.Session(aws_access_key_id=accessKeyId,aws_secret_access_key=accessKeySecret,region_name='ap-southeast-1')
temp_iam_client = temp_session.client('iam')
responseCreateUser = temp_iam_client.create_user(UserName='my-new-user')
Attempt 4 (as also suggested in one of the answers below)
temp_session = boto3.session.Session(aws_access_key_id=accessKeyId,aws_secret_access_key=accessKeySecret,region_name='ap-southeast-1')
temp_iam_client = temp_session.client('iam')
time.sleep(5)
responseCreateUser = temp_iam_client.create_user(UserName='my-new-user')
Each one of the above fails with the following error
An error occurred (InvalidClientTokenId) when calling the CreateUser operation: The security token included in the request is invalid.
Is there something that I am missing here?
All I want to do is create create a new user with the (as shown above) newly generated access credentials (accesskey and access secret).
It's ok if I get an AccessDenied
exception. I am expecting that for the users that do not have the right privileges. But the InvalidClientTokenId
exception is something I don't understand why am I even getting it.
Also, if it helps, I am trying to do this (creation of access key and secret and then using it to create a new user) in an iterative loop for over a 100 users.
(The loop of course handles cases where access keys for the currently being processed user is already maxed out etc.)
So say for example, if I try doing the above user creation action, from the ipython console, individually for the user say, existing-test-user
, alone, then I get the proper AccessDenied
exception. However, when the loop reaches that user name (after iterating over the initial few users for example) then I get the InvalidClientTokenId
exception.
On an additional note was going through this the get_credentials()
section and I'm just wondering if it has anything to do with credentials caching ?