创建 boto3 sts 客户端时出现无效 Header 值错误

Invalid Header Value Error when creating boto3 sts client

我正在使用内部 IDP 进行身份验证,然后使用 SAML 断言来承担与 boto3 sts 客户端一起使用的角色。与 IDP 的交互很好,并且能够在身份验证成功后生成 SAML 断言,但是当我尝试生成 sts 客户端“client = boto3.client('sts')”时,botocore 抛出 Invalid header value 错误.

错误来自我们的出口代理服务器。

File "/usr/local/lib/python3.8/dist-packages/aws_authentication/credentials.py", line 219, in decode_saml_assertion
    client = boto3.client('sts')
  File "/usr/local/lib/python3.8/dist-packages/boto3/__init__.py", line 93, in client
    return _get_default_session().client(*args, **kwargs)
  File "/usr/local/lib/python3.8/dist-packages/boto3/session.py", line 258, in client
    return self._session.create_client(
  File "/usr/local/lib/python3.8/dist-packages/botocore/session.py", line 826, in create_client
    credentials = self.get_credentials()
  File "/usr/local/lib/python3.8/dist-packages/botocore/session.py", line 430, in get_credentials
    self._credentials = self._components.get_component(
  File "/usr/local/lib/python3.8/dist-packages/botocore/credentials.py", line 1975, in load_credentials
    creds = provider.load()
  File "/usr/local/lib/python3.8/dist-packages/botocore/credentials.py", line 1028, in load
    metadata = fetcher.retrieve_iam_role_credentials()
  File "/usr/local/lib/python3.8/dist-packages/botocore/utils.py", line 486, in retrieve_iam_role_credentials
    role_name = self._get_iam_role(token)
  File "/usr/local/lib/python3.8/dist-packages/botocore/utils.py", line 518, in _get_iam_role
    return self._get_request(
  File "/usr/local/lib/python3.8/dist-packages/botocore/utils.py", line 427, in _get_request
    response = self._session.send(request.prepare())
  File "/usr/local/lib/python3.8/dist-packages/botocore/httpsession.py", line 356, in send
    raise HTTPClientError(error=e)

botocore.exceptions.HTTPClientError: An HTTP Client raised an unhandled exception: Invalid header value b'---- proxy error response ----'

发生此问题是因为在 botocore 包中 _fetch_metadata_token 函数 Link is connecting to the url http://169.254.169.254/latest/api/token Link 用于获取元数据令牌。

为了成功连接到 169.254.169.254,我已将其添加到 no_proxy,这样出口 proxy_server 就不会阻塞连接。

no_proxy=localhost,169.254.169.254

将元数据端点 169.254.169.254 添加到 no_proxy 后,我能够连接到 sts 并生成客户端。