https://serverless-stack.com/ logo
Join Slack
Powered by
I’m having a problem using aws-vault with an MFA e...
# help
j
I’m having a problem using aws-vault with an MFA enabled IAM user when calling an aws service (dynamodb in my case) from a lambda using boto3 (maybe any aws sdk too). I have the proper config
Copy code
[profile myprofile]
mfa_serial=arn:aws:iam::***:mfa/****
region=ap-southeast-1
output=json
I can also run the live lambda development properly and the stacks are deployed to our aws account. These are the commands I run
Copy code
aws-vault exec myprofile
npx sst start --stage <mystage>
My lambda code looks like this
Copy code
import boto3
ddb = boto3.resource("dynamodb")
table = ddb.Table(MY_TABLE_NAME)
// do some operation on the table
When I invoke the lambda from the SST Console, this is what I get
Copy code
An error occurred (UnrecognizedClientException) when calling the DescribeTable operation: The security token included in the request is invalid.
I have the proper permissions to the dynamodb table on my lambda
I created another IAM user with MFA disabled, configured the profile locally and it worked
Copy code
# .aws/credentials
[myprofile-nomfa]
aws_access_key_id = ***
aws_secret_access_key = ***
then ran
Copy code
AWS_PROFILE=myprofile-nomfa npx sst start --stage <mystage>
when I invoke my lambda calling the dynamodb with boto3, this works
f
Hey @John Stephen Soriao, taking a looking
j
oh it worked when I used typescript with @aws-sdk/client-dynamodb
f
Ah I think I see what the issue is. Will put in a fix for this.
j
I just found out that this was because of the 
AWS_SECURITY_TOKEN
environment variable. So I unset while using live lambda development
Copy code
if os.getenv("IS_LOCAL"):
    os.environ.pop("AWS_SECURITY_TOKEN")
f
Hey @John Stephen Soriao I just pushed out an update with the fix 
v1.0.0-beta.23
You can remove the 
os.environ.pop
workaround.
4 Views
Open in Slack
PreviousNext
Powered by