import os, sys
AWS_DIRECTORY = '/home/jenkins/.aws'
certificates_folder = 'my_folder'
SUCCESS = 'success'
class AmazonKMS(object):
def __init__(self):
# making sure boto3 has the certificates and region files
result = os.system('mkdir -p ' + AWS_DIRECTORY)
self._check_os_result(result)
result = os.system('cp ' + certificates_folder + 'kms_config ' + AWS_DIRECTORY + '/config')
self._check_os_result(result)
result = os.system('cp ' + certificates_folder + 'kms_credentials ' + AWS_DIRECTORY + '/credentials')
self._check_os_result(result)
# boto3 is the amazon client package
import boto3
self.kms_client = boto3.client('kms', region_name='us-east-1')
self.global_key_alias = 'alias/global'
self.global_key_id = None
def _check_os_result(self, result):
if result != 0 and raise_on_copy_error:
raise FAILED_COPY
def decrypt_text(self, encrypted_text):
response = self.kms_client.decrypt(
CiphertextBlob = encrypted_text
)
return response['Plaintext']
使用时amazon_kms = AmazonKMS()amazon_kms.decrypt_text(blob_password)
获取
E ClientError: An error occurred (AccessDeniedException) when calling the Decrypt operation: The ciphertext refers to a customer master key that does not exist, does not exist in this region, or you are not allowed to access.
stacktrace是
../keys_management/amazon_kms.py:77: in decrypt_text
CiphertextBlob = encrypted_text
/home/jenkins/.virtualenvs/global_tests/local/lib/python2.7/site-packages/botocore/client.py:253: in _api_call
return self._make_api_call(operation_name, kwargs)
/home/jenkins/.virtualenvs/global_tests/local/lib/python2.7/site-packages/botocore/client.py:557: in _make_api_call
raise error_class(parsed_response, operation_name)
这会在每小时运行一次的脚本中发生。
每天仅失败2次-3次。
重试后成功。
已尝试从boto3 1.2.3
升级到1.4.4
此行为的可能原因是什么?
我的猜测是,问题不在您在此处描述的任何内容内。最有可能是登录令牌超时或类似的情况。要对此进行进一步调查,可能对这里的登录方式有帮助。此代码如何运行?它是否像在Lambda或EC2上一样在AWS内运行?您是否在自己的服务器上运行它(看起来像在jenkins上运行)?如何建立登录访问权限?这些kms_credentials用于什么用途,它们的外观如何?您是否做了类似承担角色的工作(可能会通过访问令牌起作用,而在一段时间后将不再起作用)?