Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The provided token is malformed or otherwise invalid. #4268

Closed
odgrso opened this issue Sep 11, 2024 · 6 comments
Closed

The provided token is malformed or otherwise invalid. #4268

odgrso opened this issue Sep 11, 2024 · 6 comments
Assignees
@adev-code
Labels
bug This issue is a confirmed bug. closed-for-staleness p3 This is a minor priority issue response-requested Waiting on additional information or feedback. s3

Comments

@odgrso
Copy link

odgrso commented Sep 11, 2024

Describe the bug

Using switch role profiles to generate iam client and S3 client and calling S3 API results in error

Expected Behavior

Generating an iam client should work fine

Current Behavior

Generating iam client before S3 client and calling S3 API results in error

Reproduction Steps

Configure switch roles in ~/.aws/config

[profile test]
region=ap-northeast-1
role_arn=arn:aws:iam::111111111111:role/switch_role_name
source_profile=default
output=json

It works fine if you do the following

import boto3

session = boto3.Session(profile_name="test")
s3_client = session.client("s3", region_name="ap-east-1")
response = s3_client.get_bucket_encryption(Bucket="<bucket_name>")
print(response)

However, the following will result in an error

import boto3

session = boto3.Session(profile_name="test")
iam_client = session.client("iam")
s3_client = session.client("s3", region_name="ap-east-1")
response = s3_client.get_bucket_encryption(Bucket="<bucket_name>")
print(response)

botocore.exceptions.ClientError: An error occurred (InvalidToken) when calling the GetBucketEncryption operation: The provided token is malformed or otherwise invalid.

Possible Solution

No response

Additional Information/Context

No response

SDK version used

1.35.14

Environment details (OS name and version, etc.)

Darwin MacBook-Pro.local 23.5.0 Darwin Kernel Version 23.5.0: Wed May 1 20:09:52 PDT 2024; root:xnu-10063.121.3~5/RELEASE_X86_64 x86_64
@odgrso odgrso added bug This issue is a confirmed bug. needs-triage This issue or PR still needs to be triaged. labels Sep 11, 2024
@adev-code adev-code self-assigned this Sep 13, 2024
@adev-code adev-code added investigating This issue is being investigated and/or work is in progress to resolve the issue. s3 p3 This is a minor priority issue and removed needs-triage This issue or PR still needs to be triaged. labels Sep 13, 2024
@adev-code
Copy link

Hi @odgrso, thanks for reaching out. I was not able to replicate the same issue using the code and config above.

For further look, please include the full debug response by adding the line: boto3.set_stream_logger('') and redacting any sensitive information.

Thank you.

@adev-code adev-code added response-requested Waiting on additional information or feedback. and removed investigating This issue is being investigated and/or work is in progress to resolve the issue. labels Sep 13, 2024
@odgrso
Copy link
Author

odgrso commented Sep 14, 2024

bug request

2024-09-14 16:23:57,594 - botocore.hooks - DEBUG - Changing event name from creating-client-class.iot-data to creating-client-class.iot-data-plane
2024-09-14 16:23:57,596 - botocore.hooks - DEBUG - Changing event name from before-call.apigateway to before-call.api-gateway
2024-09-14 16:23:57,597 - botocore.hooks - DEBUG - Changing event name from request-created.machinelearning.Predict to request-created.machine-learning.Predict
2024-09-14 16:23:57,599 - botocore.hooks - DEBUG - Changing event name from before-parameter-build.autoscaling.CreateLaunchConfiguration to before-parameter-build.auto-scaling.CreateLaunchConfiguration
2024-09-14 16:23:57,599 - botocore.hooks - DEBUG - Changing event name from before-parameter-build.route53 to before-parameter-build.route-53
2024-09-14 16:23:57,600 - botocore.hooks - DEBUG - Changing event name from request-created.cloudsearchdomain.Search to request-created.cloudsearch-domain.Search
2024-09-14 16:23:57,600 - botocore.hooks - DEBUG - Changing event name from docs.*.autoscaling.CreateLaunchConfiguration.complete-section to docs.*.auto-scaling.CreateLaunchConfiguration.complete-section
2024-09-14 16:23:57,604 - botocore.hooks - DEBUG - Changing event name from before-parameter-build.logs.CreateExportTask to before-parameter-build.cloudwatch-logs.CreateExportTask
2024-09-14 16:23:57,604 - botocore.hooks - DEBUG - Changing event name from docs.*.logs.CreateExportTask.complete-section to docs.*.cloudwatch-logs.CreateExportTask.complete-section
2024-09-14 16:23:57,604 - botocore.hooks - DEBUG - Changing event name from before-parameter-build.cloudsearchdomain.Search to before-parameter-build.cloudsearch-domain.Search
2024-09-14 16:23:57,604 - botocore.hooks - DEBUG - Changing event name from docs.*.cloudsearchdomain.Search.complete-section to docs.*.cloudsearch-domain.Search.complete-section
2024-09-14 16:23:57,605 - botocore.session - DEBUG - Setting config variable for profile to 'bug2'
2024-09-14 16:23:57,610 - botocore.utils - DEBUG - IMDS ENDPOINT: http://169.254.169.254/
2024-09-14 16:23:57,619 - botocore.credentials - DEBUG - Skipping environment variable credential check because profile name was explicitly set.
2024-09-14 16:23:57,619 - botocore.credentials - DEBUG - Looking for credentials via: assume-role
2024-09-14 16:23:57,619 - botocore.credentials - DEBUG - Looking for credentials via: assume-role-with-web-identity
2024-09-14 16:23:57,619 - botocore.credentials - DEBUG - Looking for credentials via: sso
2024-09-14 16:23:57,619 - botocore.credentials - DEBUG - Looking for credentials via: shared-credentials-file
2024-09-14 16:23:57,620 - botocore.credentials - INFO - Found credentials in shared credentials file: ~/.aws/credentials
2024-09-14 16:23:57,621 - botocore.loaders - DEBUG - Loading JSON file: /Users/user1/.local/share/virtualenvs/src-mIRAKl2p/lib/python3.9/site-packages/botocore/data/endpoints.json
2024-09-14 16:23:57,643 - botocore.loaders - DEBUG - Loading JSON file: /Users/user1/.local/share/virtualenvs/src-mIRAKl2p/lib/python3.9/site-packages/botocore/data/sdk-default-configuration.json
2024-09-14 16:23:57,643 - botocore.hooks - DEBUG - Event choose-service-name: calling handler <function handle_service_name_alias at 0x108d83670>
2024-09-14 16:23:57,677 - botocore.loaders - DEBUG - Loading JSON file: /Users/user1/.local/share/virtualenvs/src-mIRAKl2p/lib/python3.9/site-packages/botocore/data/iam/2010-05-08/service-2.json.gz
2024-09-14 16:23:57,709 - botocore.loaders - DEBUG - Loading JSON file: /Users/user1/.local/share/virtualenvs/src-mIRAKl2p/lib/python3.9/site-packages/botocore/data/iam/2010-05-08/endpoint-rule-set-1.json.gz
2024-09-14 16:23:57,710 - botocore.loaders - DEBUG - Loading JSON file: /Users/user1/.local/share/virtualenvs/src-mIRAKl2p/lib/python3.9/site-packages/botocore/data/partitions.json
2024-09-14 16:23:57,714 - botocore.hooks - DEBUG - Event creating-client-class.iam: calling handler <function add_generate_presigned_url at 0x108cd1af0>
2024-09-14 16:23:57,715 - botocore.configprovider - DEBUG - Looking for endpoint for iam via: environment_service
2024-09-14 16:23:57,715 - botocore.configprovider - DEBUG - Looking for endpoint for iam via: environment_global
2024-09-14 16:23:57,715 - botocore.configprovider - DEBUG - Looking for endpoint for iam via: config_service
2024-09-14 16:23:57,715 - botocore.configprovider - DEBUG - Looking for endpoint for iam via: config_global
2024-09-14 16:23:57,715 - botocore.configprovider - DEBUG - No configured endpoint found.
2024-09-14 16:23:57,715 - botocore.regions - DEBUG - Using partition endpoint for iam, ap-northeast-1: aws-global
2024-09-14 16:23:57,717 - botocore.endpoint - DEBUG - Setting iam timeout as (60, 60)
2024-09-14 16:23:57,718 - botocore.loaders - DEBUG - Loading JSON file: /Users/user1/.local/share/virtualenvs/src-mIRAKl2p/lib/python3.9/site-packages/botocore/data/_retry.json
2024-09-14 16:23:57,719 - botocore.client - DEBUG - Registering retry handlers for service: iam
2024-09-14 16:23:57,720 - botocore.hooks - DEBUG - Event choose-service-name: calling handler <function handle_service_name_alias at 0x108d83670>
2024-09-14 16:23:57,725 - botocore.loaders - DEBUG - Loading JSON file: /Users/user1/.local/share/virtualenvs/src-mIRAKl2p/lib/python3.9/site-packages/botocore/data/s3/2006-03-01/service-2.json.gz
2024-09-14 16:23:57,755 - botocore.loaders - DEBUG - Loading JSON file: /Users/user1/.local/share/virtualenvs/src-mIRAKl2p/lib/python3.9/site-packages/botocore/data/s3/2006-03-01/endpoint-rule-set-1.json.gz
2024-09-14 16:23:57,761 - botocore.hooks - DEBUG - Event creating-client-class.s3: calling handler <function add_generate_presigned_post at 0x108cd1d30>
2024-09-14 16:23:57,761 - botocore.hooks - DEBUG - Event creating-client-class.s3: calling handler <function lazy_call.<locals>._handler at 0x108e208b0>
2024-09-14 16:23:57,832 - botocore.hooks - DEBUG - Event creating-client-class.s3: calling handler <function add_generate_presigned_url at 0x108cd1af0>
2024-09-14 16:23:57,833 - botocore.configprovider - DEBUG - Looking for endpoint for s3 via: environment_service
2024-09-14 16:23:57,833 - botocore.configprovider - DEBUG - Looking for endpoint for s3 via: environment_global
2024-09-14 16:23:57,833 - botocore.configprovider - DEBUG - Looking for endpoint for s3 via: config_service
2024-09-14 16:23:57,833 - botocore.configprovider - DEBUG - Looking for endpoint for s3 via: config_global
2024-09-14 16:23:57,833 - botocore.configprovider - DEBUG - No configured endpoint found.
2024-09-14 16:23:57,835 - botocore.endpoint - DEBUG - Setting s3 timeout as (60, 60)
2024-09-14 16:23:57,838 - botocore.client - DEBUG - Registering retry handlers for service: s3
2024-09-14 16:23:57,838 - botocore.utils - DEBUG - Registering S3 region redirector handler
2024-09-14 16:23:57,838 - botocore.utils - DEBUG - Registering S3Express Identity Resolver
2024-09-14 16:23:57,839 - botocore.hooks - DEBUG - Event before-parameter-build.s3.GetBucketEncryption: calling handler <function validate_bucket_name at 0x108d9edc0>
2024-09-14 16:23:57,839 - botocore.hooks - DEBUG - Event before-parameter-build.s3.GetBucketEncryption: calling handler <function remove_bucket_from_url_paths_from_model at 0x108da7ca0>
2024-09-14 16:23:57,839 - botocore.hooks - DEBUG - Event before-parameter-build.s3.GetBucketEncryption: calling handler <bound method S3RegionRedirectorv2.annotate_request_context of <botocore.utils.S3RegionRedirectorv2 object at 0x10a559e20>>
2024-09-14 16:23:57,839 - botocore.hooks - DEBUG - Event before-parameter-build.s3.GetBucketEncryption: calling handler <bound method ClientCreator._inject_s3_input_parameters of <botocore.client.ClientCreator object at 0x108e8c2e0>>
2024-09-14 16:23:57,839 - botocore.hooks - DEBUG - Event before-parameter-build.s3.GetBucketEncryption: calling handler <function generate_idempotent_uuid at 0x108d9ec10>
2024-09-14 16:23:57,839 - botocore.hooks - DEBUG - Event before-endpoint-resolution.s3: calling handler <function customize_endpoint_resolver_builtins at 0x108da7e50>
2024-09-14 16:23:57,839 - botocore.hooks - DEBUG - Event before-endpoint-resolution.s3: calling handler <bound method S3RegionRedirectorv2.redirect_from_cache of <botocore.utils.S3RegionRedirectorv2 object at 0x10a559e20>>
2024-09-14 16:23:57,840 - botocore.regions - DEBUG - Calling endpoint provider with parameters: {'Bucket': 'sample-bucket', 'Region': 'ap-east-1', 'UseFIPS': False, 'UseDualStack': False, 'ForcePathStyle': False, 'Accelerate': False, 'UseGlobalEndpoint': False, 'DisableMultiRegionAccessPoints': False, 'UseArnRegion': True, 'UseS3ExpressControlEndpoint': True}
2024-09-14 16:23:57,841 - botocore.regions - DEBUG - Endpoint provider result: https://sample-bucket.s3.ap-east-1.amazonaws.com
2024-09-14 16:23:57,841 - botocore.regions - DEBUG - Selecting from endpoint provider's list of auth schemes: "sigv4". User selected auth scheme is: "None"
2024-09-14 16:23:57,841 - botocore.regions - DEBUG - Selected auth type "v4" as "v4" with signing context params: {'region': 'ap-east-1', 'signing_name': 's3', 'disableDoubleEncoding': True}
2024-09-14 16:23:57,841 - botocore.hooks - DEBUG - Event before-call.s3.GetBucketEncryption: calling handler <function add_expect_header at 0x108da6160>
2024-09-14 16:23:57,841 - botocore.hooks - DEBUG - Event before-call.s3.GetBucketEncryption: calling handler <bound method S3ExpressIdentityResolver.apply_signing_cache_key of <botocore.utils.S3ExpressIdentityResolver object at 0x10a559df0>>
2024-09-14 16:23:57,841 - botocore.hooks - DEBUG - Event before-call.s3.GetBucketEncryption: calling handler <function add_recursion_detection_header at 0x108d9e820>
2024-09-14 16:23:57,842 - botocore.hooks - DEBUG - Event before-call.s3.GetBucketEncryption: calling handler <function inject_api_version_header_if_needed at 0x108da74c0>
2024-09-14 16:23:57,842 - botocore.endpoint - DEBUG - Making request for OperationModel(name=GetBucketEncryption) with params: {'url_path': '?encryption', 'query_string': {}, 'method': 'GET', 'headers': {'User-Agent': 'Boto3/1.35.14 md/Botocore#1.35.14 ua/2.0 os/macos#23.5.0 md/arch#x86_64 lang/python#3.9.6 md/pyimpl#CPython cfg/retry-mode#legacy Botocore/1.35.14'}, 'body': b'', 'auth_path': '/sample-bucket/', 'url': 'https://sample-bucket.s3.ap-east-1.amazonaws.com/?encryption', 'context': {'client_region': 'ap-east-1', 'client_config': <botocore.config.Config object at 0x109a802e0>, 'has_streaming_input': False, 'auth_type': 'v4', 'unsigned_payload': None, 's3_redirect': {'redirected': False, 'bucket': 'sample-bucket', 'params': {'Bucket': 'sample-bucket'}}, 'input_params': {'Bucket': 'sample-bucket'}, 'signing': {'region': 'ap-east-1', 'signing_name': 's3', 'disableDoubleEncoding': True}, 'endpoint_properties': {'authSchemes': [{'disableDoubleEncoding': True, 'name': 'sigv4', 'signingName': 's3', 'signingRegion': 'ap-east-1'}]}}}
2024-09-14 16:23:57,842 - botocore.hooks - DEBUG - Event request-created.s3.GetBucketEncryption: calling handler <bound method RequestSigner.handler of <botocore.signers.RequestSigner object at 0x109a801c0>>
2024-09-14 16:23:57,842 - botocore.hooks - DEBUG - Event choose-signer.s3.GetBucketEncryption: calling handler <function set_operation_specific_signer at 0x108d9ea60>
2024-09-14 16:23:57,842 - botocore.hooks - DEBUG - Event before-sign.s3.GetBucketEncryption: calling handler <function remove_arn_from_signing_path at 0x108da7dc0>
2024-09-14 16:23:57,842 - botocore.hooks - DEBUG - Event before-sign.s3.GetBucketEncryption: calling handler <bound method S3ExpressIdentityResolver.resolve_s3express_identity of <botocore.utils.S3ExpressIdentityResolver object at 0x10a559df0>>
2024-09-14 16:23:57,842 - botocore.hooks - DEBUG - Event choose-service-name: calling handler <function handle_service_name_alias at 0x108d83670>
2024-09-14 16:23:57,843 - botocore.loaders - DEBUG - Loading JSON file: /Users/user1/.local/share/virtualenvs/src-mIRAKl2p/lib/python3.9/site-packages/botocore/data/sts/2011-06-15/service-2.json.gz
2024-09-14 16:23:57,845 - botocore.loaders - DEBUG - Loading JSON file: /Users/user1/.local/share/virtualenvs/src-mIRAKl2p/lib/python3.9/site-packages/botocore/data/sts/2011-06-15/endpoint-rule-set-1.json.gz
2024-09-14 16:23:57,846 - botocore.hooks - DEBUG - Event creating-client-class.sts: calling handler <function add_generate_presigned_url at 0x108cd1af0>
2024-09-14 16:23:57,846 - botocore.configprovider - DEBUG - Looking for endpoint for sts via: environment_service
2024-09-14 16:23:57,846 - botocore.configprovider - DEBUG - Looking for endpoint for sts via: environment_global
2024-09-14 16:23:57,847 - botocore.configprovider - DEBUG - Looking for endpoint for sts via: config_service
2024-09-14 16:23:57,847 - botocore.configprovider - DEBUG - Looking for endpoint for sts via: config_global
2024-09-14 16:23:57,847 - botocore.configprovider - DEBUG - No configured endpoint found.
2024-09-14 16:23:57,849 - botocore.endpoint - DEBUG - Setting sts timeout as (60, 60)
2024-09-14 16:23:57,850 - botocore.client - DEBUG - Registering retry handlers for service: sts
2024-09-14 16:23:57,850 - botocore.hooks - DEBUG - Event before-parameter-build.sts.AssumeRole: calling handler <function generate_idempotent_uuid at 0x108d9ec10>
2024-09-14 16:23:57,851 - botocore.regions - DEBUG - Calling endpoint provider with parameters: {'Region': 'ap-northeast-1', 'UseDualStack': False, 'UseFIPS': False, 'UseGlobalEndpoint': True}
2024-09-14 16:23:57,851 - botocore.regions - DEBUG - Endpoint provider result: https://sts.amazonaws.com
2024-09-14 16:23:57,851 - botocore.regions - DEBUG - Selecting from endpoint provider's list of auth schemes: "sigv4". User selected auth scheme is: "None"
2024-09-14 16:23:57,851 - botocore.regions - DEBUG - Selected auth type "v4" as "v4" with signing context params: {'region': 'us-east-1', 'signing_name': 'sts'}
2024-09-14 16:23:57,852 - botocore.hooks - DEBUG - Event before-call.sts.AssumeRole: calling handler <function add_recursion_detection_header at 0x108d9e820>
2024-09-14 16:23:57,852 - botocore.hooks - DEBUG - Event before-call.sts.AssumeRole: calling handler <function inject_api_version_header_if_needed at 0x108da74c0>
2024-09-14 16:23:57,852 - botocore.endpoint - DEBUG - Making request for OperationModel(name=AssumeRole) with params: {'url_path': '/', 'query_string': '', 'method': 'POST', 'headers': {'Content-Type': 'application/x-www-form-urlencoded; charset=utf-8', 'User-Agent': 'Boto3/1.35.14 md/Botocore#1.35.14 ua/2.0 os/macos#23.5.0 md/arch#x86_64 lang/python#3.9.6 md/pyimpl#CPython cfg/retry-mode#legacy Botocore/1.35.14'}, 'body': {'Action': 'AssumeRole', 'Version': '2011-06-15', 'RoleArn': 'arn:aws:iam::000000000000:role/000000000000_readonly', 'RoleSessionName': 'botocore-session-1726298637'}, 'url': 'https://sts.amazonaws.com/', 'context': {'client_region': 'ap-northeast-1', 'client_config': <botocore.config.Config object at 0x10a559220>, 'has_streaming_input': False, 'auth_type': 'v4', 'unsigned_payload': None, 'signing': {'region': 'us-east-1', 'signing_name': 'sts'}, 'endpoint_properties': {'authSchemes': [{'name': 'sigv4', 'signingName': 'sts', 'signingRegion': 'us-east-1'}]}}}
2024-09-14 16:23:57,852 - botocore.hooks - DEBUG - Event request-created.sts.AssumeRole: calling handler <bound method RequestSigner.handler of <botocore.signers.RequestSigner object at 0x10a5592b0>>
2024-09-14 16:23:57,852 - botocore.hooks - DEBUG - Event choose-signer.sts.AssumeRole: calling handler <function set_operation_specific_signer at 0x108d9ea60>
2024-09-14 16:23:57,853 - botocore.auth - DEBUG - Calculating signature using v4 auth.
2024-09-14 16:23:57,853 - botocore.auth - DEBUG - CanonicalRequest:
POST
/

content-type:application/x-www-form-urlencoded; charset=utf-8
host:sts.amazonaws.com
x-amz-date:20240914T072357Z

content-type;host;x-amz-date
7ceebf1c458ba0e86e89d92746588225a7edc97ae59a18f712f2d1553ba27227
2024-09-14 16:23:57,853 - botocore.auth - DEBUG - StringToSign:
AWS4-HMAC-SHA256
20240914T072357Z
20240914/us-east-1/sts/aws4_request
14c7f3c412dece4dad656a2bfd7b5f959889800bbde18f660a521dd0857d850f
2024-09-14 16:23:57,853 - botocore.auth - DEBUG - Signature:
6abcf8da81a9298c76eb11f5c19298f63dd46e4c9ba57775d029238552c028ae
2024-09-14 16:23:57,853 - botocore.hooks - DEBUG - Event request-created.sts.AssumeRole: calling handler <function add_retry_headers at 0x108da7c10>
2024-09-14 16:23:57,854 - botocore.endpoint - DEBUG - Sending http request: <AWSPreparedRequest stream_output=False, method=POST, url=https://sts.amazonaws.com/, headers={'Content-Type': b'application/x-www-form-urlencoded; charset=utf-8', 'User-Agent': b'Boto3/1.35.14 md/Botocore#1.35.14 ua/2.0 os/macos#23.5.0 md/arch#x86_64 lang/python#3.9.6 md/pyimpl#CPython cfg/retry-mode#legacy Botocore/1.35.14', 'X-Amz-Date': b'20240914T072357Z', 'Authorization': b'AWS4-HMAC-SHA256 Credential=AKIA3FKRXXXXXXXXF6XS/20240914/us-east-1/sts/aws4_request, SignedHeaders=content-type;host;x-amz-date, Signature=6abcf8da81a9298c76eb11f5c19298f63dd46e4c9ba57775d029238552c028ae', 'amz-sdk-invocation-id': b'527efee5-dd18-49e9-b162-56a8b0d6d396', 'amz-sdk-request': b'attempt=1', 'Content-Length': '153'}>
2024-09-14 16:23:57,854 - botocore.httpsession - DEBUG - Certificate path: /Users/user1/.local/share/virtualenvs/src-mIRAKl2p/lib/python3.9/site-packages/certifi/cacert.pem
2024-09-14 16:23:58,634 - botocore.parsers - DEBUG - Response headers: {'x-amzn-RequestId': '01cdc304-4390-4d6d-9137-f8b5446f2563', 'Content-Type': 'text/xml', 'Content-Length': '1118', 'Date': 'Sat, 14 Sep 2024 07:23:58 GMT'}
2024-09-14 16:23:58,634 - botocore.parsers - DEBUG - Response body:
b'<AssumeRoleResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">\n  <AssumeRoleResult>\n    <AssumedRoleUser>\n      <AssumedRoleId>AROA3FKXXXXXXXXXXTPL3:botocore-session-1726298637</AssumedRoleId>\n      <Arn>arn:aws:sts::000000000000:assumed-role/readonly/botocore-session-1726298637</Arn>\n    </AssumedRoleUser>\n    <Credentials>\n      <AccessKeyId>ASIA3FXXXXXXXXXXXX</AccessKeyId>\n      <SecretAccessKey>zmepK6aYYnw02hDUo7PbUdyNKIob6rvlVKDHBCzg</SecretAccessKey>\n      <SessionToken>FwoGZXIvYXdzELn//////////wEaDI0V1oGnnvgvZMm1NSK/ARNXXuAo0DzVe8QNFMUyBuVbn4uKE9fnzF6Vtw8TMYbauWRPTClAIQsqXYApuTM358iSw5KUTEof6YpLIFXbkOlrhpfjiEXDdnlUgTTgZyuNpNv9p7Tao39XBmsIilol6/czuL7lbqaKsctw2Zn+TNoYXpTwysEQeOoJJiSI0a1OqR7li6x5pUqYcW2TQWZZYOA+3rov8nmH8E9nQJ8er2csSKIZJNv4iietG7q/Ey3iaTtsC3ROmugH0qWpR8+wKI70lLcGMi36eGdtkwvP04IkTIis2VUDP2vfNngTuHnjOCdLeQjTHz0w9vrBYY3iyQq+LJg=</SessionToken>\n      <Expiration>2024-09-14T08:23:58Z</Expiration>\n    </Credentials>\n  </AssumeRoleResult>\n  <ResponseMetadata>\n    <RequestId>01cdc304-4390-4d6d-9137-f8b5446f2563</RequestId>\n  </ResponseMetadata>\n</AssumeRoleResponse>\n'
2024-09-14 16:23:58,636 - botocore.hooks - DEBUG - Event needs-retry.sts.AssumeRole: calling handler <botocore.retryhandler.RetryHandler object at 0x10a4ac9d0>
2024-09-14 16:23:58,637 - botocore.retryhandler - DEBUG - No retry needed.
2024-09-14 16:23:58,640 - botocore.credentials - DEBUG - Retrieved credentials will expire at: 2024-09-14 08:23:58+00:00
2024-09-14 16:23:58,640 - botocore.auth - DEBUG - Calculating signature using v4 auth.
2024-09-14 16:23:58,641 - botocore.auth - DEBUG - CanonicalRequest:
GET
/
encryption=
host:sample-bucket.s3.ap-east-1.amazonaws.com
x-amz-content-sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
x-amz-date:20240914T072358Z
x-amz-security-token:FwoGZXIvYXdzELn//////////wEaDI0V1oGnnvgvZMm1NSK/ARNXXuAo0DzVe8QNFMUyBuVbn4uKE9fnzF6Vtw8TMYbauWRPTClAIQsqXYApuTM358iSw5KUTEof6YpLIFXbkOlrhpfjiEXDdnlUgTTgZyuNpNv9p7Tao39XBmsIilol6/czuL7lbqaKsctw2Zn+TNoYXpTwysEQeOoJJiSI0a1OqR7li6x5pUqYcW2TQWZZYOA+3rov8nmH8E9nQJ8er2csSKIZJNv4iietG7q/Ey3iaTtsC3ROmugH0qWpR8+wKI70lLcGMi36eGdtkwvP04IkTIis2VUDP2vfNngTuHnjOCdLeQjTHz0w9vrBYY3iyQq+LJg=

host;x-amz-content-sha256;x-amz-date;x-amz-security-token
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
2024-09-14 16:23:58,641 - botocore.auth - DEBUG - StringToSign:
AWS4-HMAC-SHA256
20240914T072358Z
20240914/ap-east-1/s3/aws4_request
f42ebb2414abf0ec86e28d29a8edc077497ea6f5cc71cda6862a8b04029dddc5
2024-09-14 16:23:58,641 - botocore.auth - DEBUG - Signature:
01da108707eb06fe6987778e5e99074859e102a14cd223c657e09a9d1073cbf5
2024-09-14 16:23:58,641 - botocore.hooks - DEBUG - Event request-created.s3.GetBucketEncryption: calling handler <function add_retry_headers at 0x108da7c10>
2024-09-14 16:23:58,642 - botocore.endpoint - DEBUG - Sending http request: <AWSPreparedRequest stream_output=False, method=GET, url=https://sample-bucket.s3.ap-east-1.amazonaws.com/?encryption, headers={'User-Agent': b'Boto3/1.35.14 md/Botocore#1.35.14 ua/2.0 os/macos#23.5.0 md/arch#x86_64 lang/python#3.9.6 md/pyimpl#CPython cfg/retry-mode#legacy Botocore/1.35.14', 'X-Amz-Date': b'20240914T072358Z', 'X-Amz-Security-Token': b'FwoGZXIvYXdzELn//////////wEaDI0V1oGnnvgvZMm1NSK/ARNXXuAo0DzVe8QNFMUyBuVbn4uKE9fnzF6Vtw8TMYbauWRPTClAIQsqXYApuTM358iSw5KUTEof6YpLIFXbkOlrhpfjiEXDdnlUgTTgZyuNpNv9p7Tao39XBmsIilol6/czuL7lbqaKsctw2Zn+TNoYXpTwysEQeOoJJiSI0a1OqR7li6x5pUqYcW2TQWZZYOA+3rov8nmH8E9nQJ8er2csSKIZJNv4iietG7q/Ey3iaTtsC3ROmugH0qWpR8+wKI70lLcGMiXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXuHnjOCdLeQjTHz0w9vrBYY3iyQq+LJg=', 'X-Amz-Content-SHA256': b'e3b0c44298fc1c149ae41e4649b934ca495991b7852b855', 'Authorization': b'AWS4-HMAC-SHA256 Credential=ASIA3FXXXXXXXXXXXX/20240914/ap-east-1/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date;x-amz-security-token, Signature=01da108707eb06fe6987778e5e99074859e102a14cd223c657e09a9d1073cbf5', 'amz-sdk-invocation-id': b'a4ad98d5-9abb-4232-9dd3-32def095efe0', 'amz-sdk-request': b'attempt=1'}>
2024-09-14 16:23:58,642 - botocore.httpsession - DEBUG - Certificate path: /Users/user1/.local/share/virtualenvs/src-mIRAKl2p/lib/python3.9/site-packages/certifi/cacert.pem
2024-09-14 16:23:58,928 - botocore.parsers - DEBUG - Response headers: {'x-amz-request-id': '29VY3PVBGBCXRMG1', 'x-amz-id-2': 'N5va1i11oHfVifo2sqI7MH6sPaKNuomxvbSmzD9eaXN3Ep+ZVOBXQXvf3G3GUbvsn+aXlADqTVE=', 'Content-Type': 'application/xml', 'Transfer-Encoding': 'chunked', 'Date': 'Sat, 14 Sep 2024 07:23:58 GMT', 'Server': 'AmazonS3', 'Connection': 'close'}
2024-09-14 16:23:58,928 - botocore.parsers - DEBUG - Response body:
b'<?xml version="1.0" encoding="UTF-8"?>\n<Error><Code>InvalidToken</Code><Message>The provided token is malformed or otherwise invalid.</Message><Token-0>FwoGZXIvYXdzELn//////////wEaDI0V1oGnnvgvZMm1NSK/ARNXXuAo0DzVe8QNFMUyBuVbn4uKE9fnzF6Vtw8TMYbauWRPTClAIQsqXYApuTM358iSw5KUTEof6YpLIFXbkOlrhpfjiEXDdnlUgTTgZyuNpNv9p7Tao39XBmsIilol6/czuL7lbqaKsctw2Zn+TNoYXpTwysEQeOoJJiSI0a1OqR7li6x5pUqYcW2TQWZZYOA+3rov8nmH8E9nQJ8er2csSKIZJNv4iietG7q/Ey3iaTtsC3ROmugH0qWpR8+wKI70lLcGMi36eGdtkjOCdLeQjTHz0w9vrBYY3iyQq+LJg=</Token-0><RequestId>29VY3PVBGBCXRMG1</RequestId><HostId>N5va1i11oHfVifo2sqI7MH6sPaKNuomxvbSmzD9eaXN3Ep+ZVOBXQXvf3G3GUbvsn+aXlADqTVE=</HostId></Error>'
2024-09-14 16:23:58,932 - botocore.hooks - DEBUG - Event needs-retry.s3.GetBucketEncryption: calling handler <botocore.retryhandler.RetryHandler object at 0x10a559eb0>
2024-09-14 16:23:58,932 - botocore.retryhandler - DEBUG - No retry needed.
2024-09-14 16:23:58,932 - botocore.hooks - DEBUG - Event needs-retry.s3.GetBucketEncryption: calling handler <bound method S3RegionRedirectorv2.redirect_from_error of <botocore.utils.S3RegionRedirectorv2 object at 0x10a559e20>>
Traceback (most recent call last):
  File "/Users/user1/development/karte-cloud-service-scanner-engine/src/tests/AWS/bug.py", line 9, in <module>
    response = s3_client.get_bucket_encryption(Bucket="sample-bucket")
  File "/Users/user1/.local/share/virtualenvs/src-mIRAKl2p/lib/python3.9/site-packages/botocore/client.py", line 569, in _api_call
    return self._make_api_call(operation_name, kwargs)
  File "/Users/user1/.local/share/virtualenvs/src-mIRAKl2p/lib/python3.9/site-packages/botocore/client.py", line 1023, in _make_api_call
    raise error_class(parsed_response, operation_name)
botocore.exceptions.ClientError: An error occurred (InvalidToken) when calling the GetBucketEncryption operation: The provided token is malformed or otherwise invalid.

Request without IAM Client

2024-09-14 16:25:04,656 - botocore.hooks - DEBUG - Changing event name from creating-client-class.iot-data to creating-client-class.iot-data-plane
2024-09-14 16:25:04,659 - botocore.hooks - DEBUG - Changing event name from before-call.apigateway to before-call.api-gateway
2024-09-14 16:25:04,660 - botocore.hooks - DEBUG - Changing event name from request-created.machinelearning.Predict to request-created.machine-learning.Predict
2024-09-14 16:25:04,662 - botocore.hooks - DEBUG - Changing event name from before-parameter-build.autoscaling.CreateLaunchConfiguration to before-parameter-build.auto-scaling.CreateLaunchConfiguration
2024-09-14 16:25:04,662 - botocore.hooks - DEBUG - Changing event name from before-parameter-build.route53 to before-parameter-build.route-53
2024-09-14 16:25:04,663 - botocore.hooks - DEBUG - Changing event name from request-created.cloudsearchdomain.Search to request-created.cloudsearch-domain.Search
2024-09-14 16:25:04,665 - botocore.hooks - DEBUG - Changing event name from docs.*.autoscaling.CreateLaunchConfiguration.complete-section to docs.*.auto-scaling.CreateLaunchConfiguration.complete-section
2024-09-14 16:25:04,669 - botocore.hooks - DEBUG - Changing event name from before-parameter-build.logs.CreateExportTask to before-parameter-build.cloudwatch-logs.CreateExportTask
2024-09-14 16:25:04,669 - botocore.hooks - DEBUG - Changing event name from docs.*.logs.CreateExportTask.complete-section to docs.*.cloudwatch-logs.CreateExportTask.complete-section
2024-09-14 16:25:04,669 - botocore.hooks - DEBUG - Changing event name from before-parameter-build.cloudsearchdomain.Search to before-parameter-build.cloudsearch-domain.Search
2024-09-14 16:25:04,670 - botocore.hooks - DEBUG - Changing event name from docs.*.cloudsearchdomain.Search.complete-section to docs.*.cloudsearch-domain.Search.complete-section
2024-09-14 16:25:04,670 - botocore.session - DEBUG - Setting config variable for profile to 'bug2'
2024-09-14 16:25:04,677 - botocore.utils - DEBUG - IMDS ENDPOINT: http://169.254.169.254/
2024-09-14 16:25:04,685 - botocore.credentials - DEBUG - Skipping environment variable credential check because profile name was explicitly set.
2024-09-14 16:25:04,685 - botocore.credentials - DEBUG - Looking for credentials via: assume-role
2024-09-14 16:25:04,685 - botocore.credentials - DEBUG - Looking for credentials via: assume-role-with-web-identity
2024-09-14 16:25:04,685 - botocore.credentials - DEBUG - Looking for credentials via: sso
2024-09-14 16:25:04,686 - botocore.credentials - DEBUG - Looking for credentials via: shared-credentials-file
2024-09-14 16:25:04,686 - botocore.credentials - INFO - Found credentials in shared credentials file: ~/.aws/credentials
2024-09-14 16:25:04,688 - botocore.loaders - DEBUG - Loading JSON file: /Users/user1/.local/share/virtualenvs/src-mIRAKl2p/lib/python3.9/site-packages/botocore/data/endpoints.json
2024-09-14 16:25:04,709 - botocore.loaders - DEBUG - Loading JSON file: /Users/user1/.local/share/virtualenvs/src-mIRAKl2p/lib/python3.9/site-packages/botocore/data/sdk-default-configuration.json
2024-09-14 16:25:04,710 - botocore.hooks - DEBUG - Event choose-service-name: calling handler <function handle_service_name_alias at 0x106ec3670>
2024-09-14 16:25:04,742 - botocore.loaders - DEBUG - Loading JSON file: /Users/user1/.local/share/virtualenvs/src-mIRAKl2p/lib/python3.9/site-packages/botocore/data/s3/2006-03-01/service-2.json.gz
2024-09-14 16:25:04,778 - botocore.loaders - DEBUG - Loading JSON file: /Users/user1/.local/share/virtualenvs/src-mIRAKl2p/lib/python3.9/site-packages/botocore/data/s3/2006-03-01/endpoint-rule-set-1.json.gz
2024-09-14 16:25:04,782 - botocore.loaders - DEBUG - Loading JSON file: /Users/user1/.local/share/virtualenvs/src-mIRAKl2p/lib/python3.9/site-packages/botocore/data/partitions.json
2024-09-14 16:25:04,785 - botocore.hooks - DEBUG - Event creating-client-class.s3: calling handler <function add_generate_presigned_post at 0x106e11d30>
2024-09-14 16:25:04,785 - botocore.hooks - DEBUG - Event creating-client-class.s3: calling handler <function lazy_call.<locals>._handler at 0x106f608b0>
2024-09-14 16:25:04,871 - botocore.hooks - DEBUG - Event creating-client-class.s3: calling handler <function add_generate_presigned_url at 0x106e11af0>
2024-09-14 16:25:04,877 - botocore.configprovider - DEBUG - Looking for endpoint for s3 via: environment_service
2024-09-14 16:25:04,877 - botocore.configprovider - DEBUG - Looking for endpoint for s3 via: environment_global
2024-09-14 16:25:04,896 - botocore.configprovider - DEBUG - Looking for endpoint for s3 via: config_service
2024-09-14 16:25:04,898 - botocore.configprovider - DEBUG - Looking for endpoint for s3 via: config_global
2024-09-14 16:25:04,898 - botocore.configprovider - DEBUG - No configured endpoint found.
2024-09-14 16:25:04,903 - botocore.endpoint - DEBUG - Setting s3 timeout as (60, 60)
2024-09-14 16:25:04,906 - botocore.loaders - DEBUG - Loading JSON file: /Users/user1/.local/share/virtualenvs/src-mIRAKl2p/lib/python3.9/site-packages/botocore/data/_retry.json
2024-09-14 16:25:04,907 - botocore.client - DEBUG - Registering retry handlers for service: s3
2024-09-14 16:25:04,907 - botocore.utils - DEBUG - Registering S3 region redirector handler
2024-09-14 16:25:04,908 - botocore.utils - DEBUG - Registering S3Express Identity Resolver
2024-09-14 16:25:04,908 - botocore.hooks - DEBUG - Event before-parameter-build.s3.GetBucketEncryption: calling handler <function validate_bucket_name at 0x106ededc0>
2024-09-14 16:25:04,908 - botocore.hooks - DEBUG - Event before-parameter-build.s3.GetBucketEncryption: calling handler <function remove_bucket_from_url_paths_from_model at 0x106ee7ca0>
2024-09-14 16:25:04,909 - botocore.hooks - DEBUG - Event before-parameter-build.s3.GetBucketEncryption: calling handler <bound method S3RegionRedirectorv2.annotate_request_context of <botocore.utils.S3RegionRedirectorv2 object at 0x107a394c0>>
2024-09-14 16:25:04,909 - botocore.hooks - DEBUG - Event before-parameter-build.s3.GetBucketEncryption: calling handler <bound method ClientCreator._inject_s3_input_parameters of <botocore.client.ClientCreator object at 0x106fcd160>>
2024-09-14 16:25:04,909 - botocore.hooks - DEBUG - Event before-parameter-build.s3.GetBucketEncryption: calling handler <function generate_idempotent_uuid at 0x106edec10>
2024-09-14 16:25:04,909 - botocore.hooks - DEBUG - Event before-endpoint-resolution.s3: calling handler <function customize_endpoint_resolver_builtins at 0x106ee7e50>
2024-09-14 16:25:04,909 - botocore.hooks - DEBUG - Event before-endpoint-resolution.s3: calling handler <bound method S3RegionRedirectorv2.redirect_from_cache of <botocore.utils.S3RegionRedirectorv2 object at 0x107a394c0>>
2024-09-14 16:25:04,910 - botocore.regions - DEBUG - Calling endpoint provider with parameters: {'Bucket': 'sample-bucket', 'Region': 'ap-east-1', 'UseFIPS': False, 'UseDualStack': False, 'ForcePathStyle': False, 'Accelerate': False, 'UseGlobalEndpoint': False, 'DisableMultiRegionAccessPoints': False, 'UseArnRegion': True, 'UseS3ExpressControlEndpoint': True}
2024-09-14 16:25:04,912 - botocore.regions - DEBUG - Endpoint provider result: https://sample-bucket.s3.ap-east-1.amazonaws.com
2024-09-14 16:25:04,912 - botocore.regions - DEBUG - Selecting from endpoint provider's list of auth schemes: "sigv4". User selected auth scheme is: "None"
2024-09-14 16:25:04,912 - botocore.regions - DEBUG - Selected auth type "v4" as "v4" with signing context params: {'region': 'ap-east-1', 'signing_name': 's3', 'disableDoubleEncoding': True}
2024-09-14 16:25:04,913 - botocore.hooks - DEBUG - Event before-call.s3.GetBucketEncryption: calling handler <function add_expect_header at 0x106ee6160>
2024-09-14 16:25:04,913 - botocore.hooks - DEBUG - Event before-call.s3.GetBucketEncryption: calling handler <bound method S3ExpressIdentityResolver.apply_signing_cache_key of <botocore.utils.S3ExpressIdentityResolver object at 0x107a394f0>>
2024-09-14 16:25:04,913 - botocore.hooks - DEBUG - Event before-call.s3.GetBucketEncryption: calling handler <function add_recursion_detection_header at 0x106ede820>
2024-09-14 16:25:04,913 - botocore.hooks - DEBUG - Event before-call.s3.GetBucketEncryption: calling handler <function inject_api_version_header_if_needed at 0x106ee74c0>
2024-09-14 16:25:04,913 - botocore.endpoint - DEBUG - Making request for OperationModel(name=GetBucketEncryption) with params: {'url_path': '?encryption', 'query_string': {}, 'method': 'GET', 'headers': {'User-Agent': 'Boto3/1.35.14 md/Botocore#1.35.14 ua/2.0 os/macos#23.5.0 md/arch#x86_64 lang/python#3.9.6 md/pyimpl#CPython cfg/retry-mode#legacy Botocore/1.35.14'}, 'body': b'', 'auth_path': '/sample-bucket/', 'url': 'https://sample-bucket.s3.ap-east-1.amazonaws.com/?encryption', 'context': {'client_region': 'ap-east-1', 'client_config': <botocore.config.Config object at 0x1079621c0>, 'has_streaming_input': False, 'auth_type': 'v4', 'unsigned_payload': None, 's3_redirect': {'redirected': False, 'bucket': 'sample-bucket', 'params': {'Bucket': 'sample-bucket'}}, 'input_params': {'Bucket': 'sample-bucket'}, 'signing': {'region': 'ap-east-1', 'signing_name': 's3', 'disableDoubleEncoding': True}, 'endpoint_properties': {'authSchemes': [{'disableDoubleEncoding': True, 'name': 'sigv4', 'signingName': 's3', 'signingRegion': 'ap-east-1'}]}}}
2024-09-14 16:25:04,913 - botocore.hooks - DEBUG - Event request-created.s3.GetBucketEncryption: calling handler <bound method RequestSigner.handler of <botocore.signers.RequestSigner object at 0x10795dd90>>
2024-09-14 16:25:04,913 - botocore.hooks - DEBUG - Event choose-signer.s3.GetBucketEncryption: calling handler <function set_operation_specific_signer at 0x106edea60>
2024-09-14 16:25:04,914 - botocore.hooks - DEBUG - Event before-sign.s3.GetBucketEncryption: calling handler <function remove_arn_from_signing_path at 0x106ee7dc0>
2024-09-14 16:25:04,914 - botocore.hooks - DEBUG - Event before-sign.s3.GetBucketEncryption: calling handler <bound method S3ExpressIdentityResolver.resolve_s3express_identity of <botocore.utils.S3ExpressIdentityResolver object at 0x107a394f0>>
2024-09-14 16:25:04,914 - botocore.hooks - DEBUG - Event choose-service-name: calling handler <function handle_service_name_alias at 0x106ec3670>
2024-09-14 16:25:04,915 - botocore.loaders - DEBUG - Loading JSON file: /Users/user1/.local/share/virtualenvs/src-mIRAKl2p/lib/python3.9/site-packages/botocore/data/sts/2011-06-15/service-2.json.gz
2024-09-14 16:25:04,917 - botocore.loaders - DEBUG - Loading JSON file: /Users/user1/.local/share/virtualenvs/src-mIRAKl2p/lib/python3.9/site-packages/botocore/data/sts/2011-06-15/endpoint-rule-set-1.json.gz
2024-09-14 16:25:04,918 - botocore.hooks - DEBUG - Event creating-client-class.sts: calling handler <function add_generate_presigned_url at 0x106e11af0>
2024-09-14 16:25:04,918 - botocore.configprovider - DEBUG - Looking for endpoint for sts via: environment_service
2024-09-14 16:25:04,918 - botocore.configprovider - DEBUG - Looking for endpoint for sts via: environment_global
2024-09-14 16:25:04,918 - botocore.configprovider - DEBUG - Looking for endpoint for sts via: config_service
2024-09-14 16:25:04,918 - botocore.configprovider - DEBUG - Looking for endpoint for sts via: config_global
2024-09-14 16:25:04,918 - botocore.configprovider - DEBUG - No configured endpoint found.
2024-09-14 16:25:04,921 - botocore.endpoint - DEBUG - Setting sts timeout as (60, 60)
2024-09-14 16:25:04,922 - botocore.client - DEBUG - Registering retry handlers for service: sts
2024-09-14 16:25:04,923 - botocore.hooks - DEBUG - Event before-parameter-build.sts.AssumeRole: calling handler <function generate_idempotent_uuid at 0x106edec10>
2024-09-14 16:25:04,923 - botocore.regions - DEBUG - Calling endpoint provider with parameters: {'Region': 'ap-east-1', 'UseDualStack': False, 'UseFIPS': False, 'UseGlobalEndpoint': False}
2024-09-14 16:25:04,924 - botocore.regions - DEBUG - Endpoint provider result: https://sts.ap-east-1.amazonaws.com
2024-09-14 16:25:04,924 - botocore.hooks - DEBUG - Event before-call.sts.AssumeRole: calling handler <function add_recursion_detection_header at 0x106ede820>
2024-09-14 16:25:04,924 - botocore.hooks - DEBUG - Event before-call.sts.AssumeRole: calling handler <function inject_api_version_header_if_needed at 0x106ee74c0>
2024-09-14 16:25:04,924 - botocore.endpoint - DEBUG - Making request for OperationModel(name=AssumeRole) with params: {'url_path': '/', 'query_string': '', 'method': 'POST', 'headers': {'Content-Type': 'application/x-www-form-urlencoded; charset=utf-8', 'User-Agent': 'Boto3/1.35.14 md/Botocore#1.35.14 ua/2.0 os/macos#23.5.0 md/arch#x86_64 lang/python#3.9.6 md/pyimpl#CPython cfg/retry-mode#legacy Botocore/1.35.14'}, 'body': {'Action': 'AssumeRole', 'Version': '2011-06-15', 'RoleArn': 'arn:aws:iam::000000000000:role/000000000000_readonly', 'RoleSessionName': 'botocore-session-1726298704'}, 'url': 'https://sts.ap-east-1.amazonaws.com/', 'context': {'client_region': 'ap-east-1', 'client_config': <botocore.config.Config object at 0x107a391f0>, 'has_streaming_input': False, 'auth_type': None, 'unsigned_payload': None}}
2024-09-14 16:25:04,925 - botocore.hooks - DEBUG - Event request-created.sts.AssumeRole: calling handler <bound method RequestSigner.handler of <botocore.signers.RequestSigner object at 0x107a392b0>>
2024-09-14 16:25:04,925 - botocore.hooks - DEBUG - Event choose-signer.sts.AssumeRole: calling handler <function set_operation_specific_signer at 0x106edea60>
2024-09-14 16:25:04,926 - botocore.auth - DEBUG - Calculating signature using v4 auth.
2024-09-14 16:25:04,926 - botocore.auth - DEBUG - CanonicalRequest:
POST
/

content-type:application/x-www-form-urlencoded; charset=utf-8
host:sts.ap-east-1.amazonaws.com
x-amz-date:20240914T072504Z

content-type;host;x-amz-date
3a4f30e9bc95a88c366cb6395c704f1fb0923e094856420b7ebfa82029744ac3
2024-09-14 16:25:04,926 - botocore.auth - DEBUG - StringToSign:
AWS4-HMAC-SHA256
20240914T072504Z
20240914/ap-east-1/sts/aws4_request
e12acacd80bc3ad4792ad7aca89fd93739d30f79c3642659703e1693c48fde37
2024-09-14 16:25:04,926 - botocore.auth - DEBUG - Signature:
34e7bfb70313f427655f6d7207b47b374705b10590ca602853d3b968b80d3548
2024-09-14 16:25:04,926 - botocore.hooks - DEBUG - Event request-created.sts.AssumeRole: calling handler <function add_retry_headers at 0x106ee7c10>
2024-09-14 16:25:04,926 - botocore.endpoint - DEBUG - Sending http request: <AWSPreparedRequest stream_output=False, method=POST, url=https://sts.ap-east-1.amazonaws.com/, headers={'Content-Type': b'application/x-www-form-urlencoded; charset=utf-8', 'User-Agent': b'Boto3/1.35.14 md/Botocore#1.35.14 ua/2.0 os/macos#23.5.0 md/arch#x86_64 lang/python#3.9.6 md/pyimpl#CPython cfg/retry-mode#legacy Botocore/1.35.14', 'X-Amz-Date': b'20240914T072504Z', 'Authorization': b'AWS4-HMAC-SHA256 Credential=AKIA3FKRNI2D6RB3F6XS/20240914/ap-east-1/sts/aws4_request, SignedHeaders=content-type;host;x-amz-date, Signature=34e7bfb70313f427655f6d7207b47b374705b10590ca602853d3b968b80d3548', 'amz-sdk-invocation-id': b'72ec493e-907e-45e9-a42e-7887d743bffc', 'amz-sdk-request': b'attempt=1', 'Content-Length': '153'}>
2024-09-14 16:25:04,927 - botocore.httpsession - DEBUG - Certificate path: /Users/user1/.local/share/virtualenvs/src-mIRAKl2p/lib/python3.9/site-packages/certifi/cacert.pem
2024-09-14 16:25:05,205 - botocore.parsers - DEBUG - Response headers: {'x-amzn-RequestId': 'ea0a9c7b-c85e-44f3-a254-3dd579f90040', 'Content-Type': 'text/xml', 'Content-Length': '1518', 'Date': 'Sat, 14 Sep 2024 07:25:04 GMT'}
2024-09-14 16:25:05,206 - botocore.parsers - DEBUG - Response body:
b'<AssumeRoleResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">\n  <AssumeRoleResult>\n    <AssumedRoleUser>\n      <AssumedRoleId>AROA3FKXXXXXXMEKZTPL3:botocore-session-1726298704</AssumedRoleId>\n      <Arn>arn:aws:sts::000000000000:assumed-role/readonly/botocore-session-1726298704</Arn>\n    </AssumedRoleUser>\n    <Credentials>\n      <AccessKeyId>ASIA3FKRNIXXXXXXXX</AccessKeyId>\n      <SecretAccessKey>oqW6fwavukRKJJgnaFt/yrEJeVv</SecretAccessKey>\n      <SessionToken>IQoJb3JpZ2luX2VjEKf//////////wEaCWFwLWVhc3QtMSJGMEQCIEebnyFAF+rhnhYhJA+zox9t9tr3m+XitmMi8lToND3yAiBPJBK4jfqcbS+CZO/UCYQ4WoFqSC62tyIsQxGGB2Ii4yqxAgjR//////////8BEAIaDDc2NzM1OTI3MjU4MyIM1SNJqPUUfuO4JWqgKoUC9whdgxah0nBe23ViIiU0QcOklvfNkNhZ10GCU23vz06iIhkgOQlBLvoIKtxVcypyOCUyHAPJQ5nIyM2E8pmuDhANzHfTS6h9/ybNlCGuS8++ozvtRyJqAaxQisL7qSUA7ncpBcbt734akF8t5IE00Ur8RhVjJCbr2Twyf3E40EFLNu/Mu3urOkH0Jmf4YpDncI89ktV1S/gEenZHN4tD52Ok4MCoxT1Z7nzXx42fo2OY6U3rp2AQej2xT0/oDOfkjxA14EgU6PJMNH0lLcGOp4ByHUed2iv5BODRzL7YJ+P/FzJ0GtvgDCX8/s4/Cdzxphk2NK2JChTEy4niH4mpQM6uaWS+6pJcLEklrgvT7gT4w8v3shIIlW/BU8iPo9b9++p7peDxd4N0UrwbvhQz9YQIJyZhJa6kpWSIIqQunjfCqrv24WssGxzNuM/O0koOO/uOVOFqScqQwGv/aSzVL2mSJFwwthPdQ5mSL2XT+U=</SessionToken>\n      <Expiration>2024-09-14T08:25:05Z</Expiration>\n    </Credentials>\n  </AssumeRoleResult>\n  <ResponseMetadata>\n    <RequestId>ea0a9c7b-c85e-44f3-a254-3dd579f90040</RequestId>\n  </ResponseMetadata>\n</AssumeRoleResponse>\n'
2024-09-14 16:25:05,207 - botocore.hooks - DEBUG - Event needs-retry.sts.AssumeRole: calling handler <botocore.retryhandler.RetryHandler object at 0x107a417c0>
2024-09-14 16:25:05,207 - botocore.retryhandler - DEBUG - No retry needed.
2024-09-14 16:25:05,208 - botocore.credentials - DEBUG - Retrieved credentials will expire at: 2024-09-14 08:25:05+00:00
2024-09-14 16:25:05,209 - botocore.auth - DEBUG - Calculating signature using v4 auth.
2024-09-14 16:25:05,209 - botocore.auth - DEBUG - CanonicalRequest:
GET
/
encryption=
host:sample-bucket.s3.ap-east-1.amazonaws.com
x-amz-content-sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
x-amz-date:20240914T072505Z
x-amz-security-token:IQoJb3JpZ2luX2VjEKf//////////wEaCWFwLWVhc3QtMSJGMEQCIEebnyFAF+rhnhYhJA+zox9t9tr3m+XitmMi8lToND3yAiBPJBK4jfqcbS+CZO/UCYQ4WoFqSC62tyIsQxGGB2Ii4yqxAgjR//////////8BEAIaDDc2NzM1OTI3MjU4MyIM1SNJqPUUfuO4JWqgKoUC9whdgxah0nBe23ViIiU0QcOklvfNk9awh9b6qst5H7M0JB1MR5FALcyxNKisKQ9PPdi8snSBJoUKBUqdG0MeKlz9rsaqCqiMgDlBBFAlNOF2vZNhZ10GCU23vz06iIhkgOQlBLvoIKtxVcypyOCUyHAPJQ5nIyM2E8pmuDhANzHfTS6h9/ybNlCGuS8++ozvtRyJqAaxQisL7qSUA7ncpBcbt734akF8t5IE00Ur8RhVjJCbr2Twyf3E40EFLNu/Mu3urOkH0Jmf4YpDncI89ktV1S/gcGOp4ByHUed2iv5BODRzL7YJ+P/FzJ0GtvgDCX8/s4/Cdzxphk2NK2JChTEy4niH4mpQM6uaWS+6pJcLEklrgvT7gT4w8v3shIIlW/BU8iPo9b9++p7peDxd4N0UrwbvhQz9YQIJyZhJa6kpWSIIqQunjfCqrv24WssGxzNuM/O0koOO/uOVOFqScqQwGv/aSzVL2mSJFwwthPdQ5mSL2XT+U=

host;x-amz-content-sha256;x-amz-date;x-amz-security-token
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
2024-09-14 16:25:05,209 - botocore.auth - DEBUG - StringToSign:
AWS4-HMAC-SHA256
20240914T072505Z
20240914/ap-east-1/s3/aws4_request
917637b60a64e9b238ebb635775a657c273328dbdce78ba9fa9513777b5e5072
2024-09-14 16:25:05,209 - botocore.auth - DEBUG - Signature:
38ff91e238973757e20d92125028f807a6fd6fa049e62bd73e3b3ff9123f0197
2024-09-14 16:25:05,209 - botocore.hooks - DEBUG - Event request-created.s3.GetBucketEncryption: calling handler <function add_retry_headers at 0x106ee7c10>
2024-09-14 16:25:05,209 - botocore.endpoint - DEBUG - Sending http request: <AWSPreparedRequest stream_output=False, method=GET, url=https://sample-bucket.s3.ap-east-1.amazonaws.com/?encryption, headers={'User-Agent': b'Boto3/1.35.14 md/Botocore#1.35.14 ua/2.0 os/macos#23.5.0 md/arch#x86_64 lang/python#3.9.6 md/pyimpl#CPython cfg/retry-mode#legacy Botocore/1.35.14', 'X-Amz-Date': b'20240914T072505Z', 'X-Amz-Security-Token': b'IQoJb3JpZ2luX2VjEKf//////////wEaCWFwLWVhc3QtMSJGMEQCIEebnyFAF+rhnhYhJA+zox9t9tr3m+XitmMi8lToND3yAiBPJBK4jfqcbS+CZO/UCYQ4WoFqSC62tyIsQxGGB2Ii4yqxAgjR//////////8BEAIaDDc2NzM1OTI3MjU4MyIM1SNJqPUUfuO4JWqgKoUC9whdgxah0nBe23ViIiU0QcOklvfNk9awh9b6qst5H7M0JB1MR5FALcyxNKisKQ9PPdi8snSBJoUKBUqdG0MeKlz9rsaqCqiMgDlBBFAlNOF2vZNhZ10GCU23vz06iIhkgOQlBLvoIKtxVcypyOCUyHAPJQ5nIyM2E8pmuDhANzHfTS6h9/ybNlCGuS8++ozvtRyJqAaxQisL7qSUA7ncpBcbt734akF8t5IE00Ur8RhVjJCbr2Twyf3E40EFLNu/Mu3urOkH0Jmf4YpDncI89ktV1S/gEeGOp4ByHUed2iv5BODRzL7YJ+P/FzJ0GtvgDCX8/s4/Cdzxphk2NK2JChTEy4niH4mpQM6uaWS+6pJcLEklrgvT7gT4w8v3shIIlW/BU8iPo9b9++p7peDxd4N0UrwbvhQz9YQIJyZhJa6kpWSIIqQunjfCqrv24WssGxzNuM/O0koOO/uOVOFqScqQwGv/aSzVL2mSJFwwthPdQ5mSL2XT+U=', 'X-Amz-Content-SHA256': b'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855', 'Authorization': b'AWS4-HMAC-SHA256 Credential=ASIA3FKRNI2DU662BO4B/20240914/ap-east-1/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date;x-amz-security-token, Signature=38ff91e238973757e20d92125028f807a6fd6fa049e62bd73e3b3ff9123f0197', 'amz-sdk-invocation-id': b'7f8fd059-5e0f-4fb9-8e3d-9534828f914f', 'amz-sdk-request': b'attempt=1'}>
2024-09-14 16:25:05,210 - botocore.httpsession - DEBUG - Certificate path: /Users/user1/.local/share/virtualenvs/src-mIRAKl2p/lib/python3.9/site-packages/certifi/cacert.pem
2024-09-14 16:25:05,517 - botocore.parsers - DEBUG - Response headers: {'x-amz-id-2': '3kGhKxOGyb1a2mF7bS9NcbwSQzLk4PrZSEIhpDjn1QYXvWHc0qnSCuRgtMojf6EicM/GKfEu3iY=', 'x-amz-request-id': 'PZXCZGMDCVABFWXB', 'Date': 'Sat, 14 Sep 2024 07:25:06 GMT', 'Transfer-Encoding': 'chunked', 'Server': 'AmazonS3'}
2024-09-14 16:25:05,517 - botocore.parsers - DEBUG - Response body:
b'<?xml version="1.0" encoding="UTF-8"?>\n<ServerSideEncryptionConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/"><Rule><BucketKeyEnabled>true</BucketKeyEnabled><ApplyServerSideEncryptionByDefault><SSEAlgorithm>AES256</SSEAlgorithm></ApplyServerSideEncryptionByDefault></Rule></ServerSideEncryptionConfiguration>'
2024-09-14 16:25:05,521 - botocore.hooks - DEBUG - Event needs-retry.s3.GetBucketEncryption: calling handler <botocore.retryhandler.RetryHandler object at 0x107a39400>
2024-09-14 16:25:05,521 - botocore.retryhandler - DEBUG - No retry needed.
2024-09-14 16:25:05,521 - botocore.hooks - DEBUG - Event needs-retry.s3.GetBucketEncryption: calling handler <bound method S3RegionRedirectorv2.redirect_from_error of <botocore.utils.S3RegionRedirectorv2 object at 0x107a394c0>>
{'ResponseMetadata': {'RequestId': 'PZXCZGMDCVABFWXB', 'HostId': '3kGhKxOGyb1a2mF7bS9NcbwSQzLk4PrZSEIhpDjn1QYXvWHc0qnSCuRgtMojf6EicM/GKfEu3iY=', 'HTTPStatusCode': 200, 'HTTPHeaders': {'x-amz-id-2': '3kGhKxOGyb1a2mF7bS9NcbwSQzLk4PrZSEIhpDjn1QYXvWHc0qnSCuRgtMojf6EicM/GKfEu3iY=', 'x-amz-request-id': 'PZXCZGMDCVABFWXB', 'date': 'Sat, 14 Sep 2024 07:25:06 GMT', 'transfer-encoding': 'chunked', 'server': 'AmazonS3'}, 'RetryAttempts': 0}, 'ServerSideEncryptionConfiguration': {'Rules': [{'ApplyServerSideEncryptionByDefault': {'SSEAlgorithm': 'AES256'}, 'BucketKeyEnabled': True}]}}

@github-actions github-actions bot removed the response-requested Waiting on additional information or feedback. label Sep 15, 2024
@adev-code
Copy link

Hi @odgrso, thanks for the logs. Could you try using a new IAM role? Make sure it has the S3 action "s3:GetEncryptionConfiguration" ( https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3.html ) added in your policy.

Thank you.

@adev-code adev-code added the response-requested Waiting on additional information or feedback. label Sep 16, 2024
@odgrso
Copy link
Author

odgrso commented Sep 16, 2024

As you can see from the fact that the following code works fine, the switch role already has the s3:GetEncryptionConfiguration (ReadOnlyAccess).
In case you are wondering, I tried to run the code with s3:GetEncryptionConfiguration again, but it did not change.

import boto3

session = boto3.Session(profile_name="test")
s3_client = session.client("s3", region_name="ap-east-1")
response = s3_client.get_bucket_encryption(Bucket="<bucket_name>")
print(response)

@github-actions github-actions bot removed the response-requested Waiting on additional information or feedback. label Sep 17, 2024
@adev-code adev-code added investigating This issue is being investigated and/or work is in progress to resolve the issue. needs-review labels Sep 19, 2024
@adev-code
Copy link

Hi @odgrso, thanks for the update. After testing and getting the same issue, it worked when the config file has been set to "sts_regional_endpoints = regional". The default value of “sts_regional_endpoints” is “legacy” and it is recommended to use regional [1] [2].
Please let me know if you have any further questions. Thank you.

[1] https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html
[2] https://docs.aws.amazon.com/sdkref/latest/guide/feature-sts-regionalized-endpoints.html

@adev-code adev-code added response-requested Waiting on additional information or feedback. and removed investigating This issue is being investigated and/or work is in progress to resolve the issue. needs-review labels Sep 24, 2024
@github-actions GitHub Actions
Copy link

github-actions bot commented Oct 5, 2024

Greetings! It looks like this issue hasn’t been active in longer than five days. We encourage you to check if this is still an issue in the latest release. In the absence of more information, we will be closing this issue soon. If you find that this is still a problem, please feel free to provide a comment or upvote with a reaction on the initial post to prevent automatic closure. If the issue is already closed, please feel free to open a new one.

@github-actions github-actions bot added closing-soon This issue will automatically close in 4 days unless further comments are made. closed-for-staleness and removed closing-soon This issue will automatically close in 4 days unless further comments are made. labels Oct 5, 2024
@github-actions github-actions bot closed this as completed Oct 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@adev-code adev-code

Labels
bug This issue is a confirmed bug. closed-for-staleness p3 This is a minor priority issue response-requested Waiting on additional information or feedback. s3
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@odgrso @adev-code