问题描述
我正在使用内部 IDP 进行身份验证,然后使用 SAML 断言来承担使用 boto3 sts 客户端的角色。与 IDP 的交互很好,并且能够在成功验证后生成 SAML 断言,但是当我尝试生成 sts 客户端时,“client = boto3.client('sts')” botocore 抛出了无效的标头值错误。
错误来自我们的出口代理服务器。
File "/usr/local/lib/python3.8/dist-packages/aws_authentication/credentials.py",line 219,in decode_saml_assertion
client = boto3.client('sts')
File "/usr/local/lib/python3.8/dist-packages/boto3/__init__.py",line 93,in client
return _get_default_session().client(*args,**kwargs)
File "/usr/local/lib/python3.8/dist-packages/boto3/session.py",line 258,in client
return self._session.create_client(
File "/usr/local/lib/python3.8/dist-packages/botocore/session.py",line 826,in create_client
credentials = self.get_credentials()
File "/usr/local/lib/python3.8/dist-packages/botocore/session.py",line 430,in get_credentials
self._credentials = self._components.get_component(
File "/usr/local/lib/python3.8/dist-packages/botocore/credentials.py",line 1975,in load_credentials
creds = provider.load()
File "/usr/local/lib/python3.8/dist-packages/botocore/credentials.py",line 1028,in load
Metadata = fetcher.retrieve_iam_role_credentials()
File "/usr/local/lib/python3.8/dist-packages/botocore/utils.py",line 486,in retrieve_iam_role_credentials
role_name = self._get_iam_role(token)
File "/usr/local/lib/python3.8/dist-packages/botocore/utils.py",line 518,in _get_iam_role
return self._get_request(
File "/usr/local/lib/python3.8/dist-packages/botocore/utils.py",line 427,in _get_request
response = self._session.send(request.prepare())
File "/usr/local/lib/python3.8/dist-packages/botocore/httpsession.py",line 356,in send
raise HTTPClientError(error=e)
botocore.exceptions.HTTPClientError: An HTTP Client raised an unhandled exception: Invalid header value b'---- proxy error response ----'
解决方法
出现此问题是因为在 botocore 包中的 _fetch_metadata_token 函数 Link 连接到 url http://169.254.169.254/latest/api/token Link 以获取元数据令牌。
为了成功连接到 169.254.169.254,我已将其添加到 no_proxy 以便出口 proxy_server 不会阻止连接。
no_proxy=localhost,169.254.169.254
将元数据端点 169.254.169.254 添加到 no_proxy 后,我能够连接到 sts 并生成客户端。