Anonymous requests and their credentials

[immerrr]

I've recently come across a situation where I was unable to work with a publicly writable SQS queue with boto3, it would be great for this to be possible without mocking the RequestSigner (which I did to make it work for now).

DISCLAIMER: there's #206 about more or less the same topic, feel free to close this issue and reopen that one.

Here's a code snippet that I'd expect to work without supplying any credentials:

>>> import botocore
>>> botocore.__version__
'1.8.50'
>>> import boto3
>>> queue_url = 'https://sqs.eu-west-1.amazonaws.com/{}/{}'.format(acc_id, pub_queue_name)
>>> sqsclient = boto3.client('sqs')
>>> sqsclient.send_message?
>>> sqsclient.send_message(QueueUrl=queue_url, MessageBody=b'Hello World')

And it fails with

/home/immerrr/.conda/envs/test/lib/python2.7/site-packages/botocore/signers.pyc in handler(self, operation_name, request, **kwargs)
     88         # this method is invoked to sign the request.
     89         # Don't call this method directly.
---> 90         return self.sign(operation_name, request)
     91 
     92     def sign(self, operation_name, request, region_name=None,

/home/immerrr/.conda/envs/test/lib/python2.7/site-packages/botocore/signers.pyc in sign(self, operation_name, request, region_name, signing_type, expires_in, signing_name)
    154                     raise e
    155 
--> 156             auth.add_auth(request)
    157 
    158     def _choose_signer(self, operation_name, signing_type, context):

/home/immerrr/.conda/envs/test/lib/python2.7/site-packages/botocore/auth.pyc in add_auth(self, request)
    350     def add_auth(self, request):
    351         if self.credentials is None:
--> 352             raise NoCredentialsError
    353         datetime_now = datetime.datetime.utcnow()
    354         request.context['timestamp'] = datetime_now.strftime(SIGV4_TIMESTAMP)

NoCredentialsError: Unable to locate credentials

Also, there's a question of how does one override the credentials to become None if there's a ~/.aws/credentials file with a default entry? Right now, I'm identifying "anonymous" clients by setting access_key_id/secret_access_key to empty strings, but is this the intended way to do it?

[immerrr]

Here's the workaround that I use to create "anonymous" clients for now:

client = boto3.client('sqs', aws_access_key_id='', aws_secret_access_key='')
client._request_signer.sign = (lambda *args, **kwargs: None)

[stealthycoin]

Marking this as a feature request.

[jimethn]

The suggested workaround doesn't work for CFN. Maybe CFN is different from SQS?

>>> cfn = boto3.client('cloudformation', aws_access_key_id='', aws_secret_access_key='', region_name=region)
>>> cfn.signal_resource(StackName='a-stack', LogicalResourceId='TheInstance', UniqueId=instance_id, Status='SUCCESS')
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/local/lib/python3.6/site-packages/botocore/client.py", line 357, in _api_call
    return self._make_api_call(operation_name, kwargs)
  File "/usr/local/lib/python3.6/site-packages/botocore/client.py", line 661, in _make_api_call
    raise error_class(parsed_response, operation_name)
botocore.exceptions.ClientError: An error occurred (InvalidClientTokenId) when calling the SignalResource operation: The security token included in the request is invalid.

If I try just blanking out the credentials (above) it says the token is invalid. So then I try overwriting the internal function as suggested...

>>> cfn._request_signer.sign = (lambda *args, **kwargs: None)
>>> cfn.signal_resource(StackName='a-stack', LogicalResourceId='TheInstance', UniqueId=instance_id, Status='SUCCESS')
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/local/lib/python3.6/site-packages/botocore/client.py", line 357, in _api_call
    return self._make_api_call(operation_name, kwargs)
  File "/usr/local/lib/python3.6/site-packages/botocore/client.py", line 661, in _make_api_call
    raise error_class(parsed_response, operation_name)
botocore.exceptions.ClientError: An error occurred (MissingAuthenticationToken) when calling the SignalResource operation: Request is missing Authentication Token

Now it just says I have no token.

I tried it with SQS and got the prescribed result: Before overwriting sign I got InvalidClientTokenId, and then after overwriting I got AccessDenied. Either CFN is different or I'm confused.

[bram2000]

The workaround doesn't seem to work for me. I'm trying to download files from s3 anonymously (the s3 bucket is public and I want anyone to be able to run my app without messing around with AWS creds).

My example:

        self.s3 = boto3.client("s3", aws_access_key_id="", aws_secret_access_key="")
        self.s3._request_signer.sign = lambda *args, **kwargs: None
        self.s3.download_file("some-public-bucket", key, str(path))

Result:

botocore.exceptions.ClientError: An error occurred (403) when calling the HeadObject operation: Forbidden

Any idea how I can download via boto3 from s3 anonymously?

[joguSD]

It's been possible to configure a client for anonymous (unsigned) requests for quite some time:

from botocore import UNSIGNED
from botocore.config import Config
from botocore.session import Session


session = Session()
config = Config(signature_version=UNSIGNED)
sts = session.create_client('sts', config=config)

How a service reacts to/supports unsigned requests is going to be on a service-by-service basis.

[RyanFitzSimmonsAK]

Per the most recent comment here, this is possible to configure via botocore, but the behavior can vary by service. For feature requests related to specific services such as SQS, we recommend reaching out through AWS Support for more direct escalation and tracking. We can also forward feature requests internally if you'd prefer, but please let us know if that's how you'd like to proceed.

[github-actions]

Greetings! It looks like this issue hasn’t been active in longer than five days. We encourage you to check if this is still an issue in the latest release. In the absence of more information, we will be closing this issue soon. If you find that this is still a problem, please feel free to provide a comment or upvote with a reaction on the initial post to prevent automatic closure. If the issue is already closed, please feel free to open a new one.