I have been trying for quite some time to figure out what is going wrong when I am making an API call to my AWS account using boto3 library inside a Docker container. The error I see is:
docker run --rm -ti -v ${HOME}/.aws/credentials:/root/.aws/credentials:ro boto3_test
Traceback (most recent call last):
File "/usr/local/lib/python3.8/site-packages/urllib3/connectionpool.py", line 699, in urlopen
httplib_response = self._make_request(
File "/usr/local/lib/python3.8/site-packages/urllib3/connectionpool.py", line 382, in _make_request
self._validate_conn(conn)
File "/usr/local/lib/python3.8/site-packages/urllib3/connectionpool.py", line 1010, in _validate_conn
conn.connect()
File "/usr/local/lib/python3.8/site-packages/urllib3/connection.py", line 411, in connect
self.sock = ssl_wrap_socket(
File "/usr/local/lib/python3.8/site-packages/urllib3/util/ssl_.py", line 428, in ssl_wrap_socket
ssl_sock = _ssl_wrap_socket_impl(
File "/usr/local/lib/python3.8/site-packages/urllib3/util/ssl_.py", line 472, in _ssl_wrap_socket_impl
return ssl_context.wrap_socket(sock, server_hostname=server_hostname)
File "/usr/local/lib/python3.8/ssl.py", line 500, in wrap_socket
return self.sslsocket_class._create(
File "/usr/local/lib/python3.8/ssl.py", line 1040, in _create
self.do_handshake()
File "/usr/local/lib/python3.8/ssl.py", line 1309, in do_handshake
self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1125)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/local/lib/python3.8/site-packages/botocore/httpsession.py", line 314, in send
urllib_response = conn.urlopen(
File "/usr/local/lib/python3.8/site-packages/urllib3/connectionpool.py", line 755, in urlopen
retries = retries.increment(
File "/usr/local/lib/python3.8/site-packages/urllib3/util/retry.py", line 507, in increment
raise six.reraise(type(error), error, _stacktrace)
File "/usr/local/lib/python3.8/site-packages/urllib3/packages/six.py", line 734, in reraise
raise value.with_traceback(tb)
File "/usr/local/lib/python3.8/site-packages/urllib3/connectionpool.py", line 699, in urlopen
httplib_response = self._make_request(
File "/usr/local/lib/python3.8/site-packages/urllib3/connectionpool.py", line 382, in _make_request
self._validate_conn(conn)
File "/usr/local/lib/python3.8/site-packages/urllib3/connectionpool.py", line 1010, in _validate_conn
conn.connect()
File "/usr/local/lib/python3.8/site-packages/urllib3/connection.py", line 411, in connect
self.sock = ssl_wrap_socket(
File "/usr/local/lib/python3.8/site-packages/urllib3/util/ssl_.py", line 428, in ssl_wrap_socket
ssl_sock = _ssl_wrap_socket_impl(
File "/usr/local/lib/python3.8/site-packages/urllib3/util/ssl_.py", line 472, in _ssl_wrap_socket_impl
return ssl_context.wrap_socket(sock, server_hostname=server_hostname)
File "/usr/local/lib/python3.8/ssl.py", line 500, in wrap_socket
return self.sslsocket_class._create(
File "/usr/local/lib/python3.8/ssl.py", line 1040, in _create
self.do_handshake()
File "/usr/local/lib/python3.8/ssl.py", line 1309, in do_handshake
self._sslobj.do_handshake()
urllib3.exceptions.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1125)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/src/main.py", line 51, in <module>
print(dynamodb_ss.get_all_records())
File "/src/main.py", line 25, in get_all_records
response = self.table.scan()
File "/usr/local/lib/python3.8/site-packages/boto3/resources/factory.py", line 520, in do_action
response = action(self, *args, **kwargs)
File "/usr/local/lib/python3.8/site-packages/boto3/resources/action.py", line 83, in __call__
response = getattr(parent.meta.client, operation_name)(*args, **params)
File "/usr/local/lib/python3.8/site-packages/botocore/client.py", line 357, in _api_call
return self._make_api_call(operation_name, kwargs)
File "/usr/local/lib/python3.8/site-packages/botocore/client.py", line 662, in _make_api_call
http, parsed_response = self._make_request(
File "/usr/local/lib/python3.8/site-packages/botocore/client.py", line 682, in _make_request
return self._endpoint.make_request(operation_model, request_dict)
File "/usr/local/lib/python3.8/site-packages/botocore/endpoint.py", line 102, in make_request
return self._send_request(request_dict, operation_model)
File "/usr/local/lib/python3.8/site-packages/botocore/endpoint.py", line 136, in _send_request
while self._needs_retry(attempts, operation_model, request_dict,
File "/usr/local/lib/python3.8/site-packages/botocore/endpoint.py", line 253, in _needs_retry
responses = self._event_emitter.emit(
File "/usr/local/lib/python3.8/site-packages/botocore/hooks.py", line 356, in emit
return self._emitter.emit(aliased_event_name, **kwargs)
File "/usr/local/lib/python3.8/site-packages/botocore/hooks.py", line 228, in emit
return self._emit(event_name, kwargs)
File "/usr/local/lib/python3.8/site-packages/botocore/hooks.py", line 211, in _emit
response = handler(**kwargs)
File "/usr/local/lib/python3.8/site-packages/botocore/retryhandler.py", line 183, in __call__
if self._checker(attempts, response, caught_exception):
File "/usr/local/lib/python3.8/site-packages/botocore/retryhandler.py", line 250, in __call__
should_retry = self._should_retry(attempt_number, response,
File "/usr/local/lib/python3.8/site-packages/botocore/retryhandler.py", line 277, in _should_retry
return self._checker(attempt_number, response, caught_exception)
File "/usr/local/lib/python3.8/site-packages/botocore/retryhandler.py", line 316, in __call__
checker_response = checker(attempt_number, response,
File "/usr/local/lib/python3.8/site-packages/botocore/retryhandler.py", line 222, in __call__
return self._check_caught_exception(
File "/usr/local/lib/python3.8/site-packages/botocore/retryhandler.py", line 359, in _check_caught_exception
raise caught_exception
File "/usr/local/lib/python3.8/site-packages/botocore/endpoint.py", line 200, in _do_get_response
http_response = self._send(request)
File "/usr/local/lib/python3.8/site-packages/botocore/endpoint.py", line 269, in _send
return self.http_session.send(request)
File "/usr/local/lib/python3.8/site-packages/botocore/httpsession.py", line 341, in send
raise SSLError(endpoint_url=request.url, error=e)
botocore.exceptions.SSLError: SSL validation failed for https://dynamodb.us-west-2.amazonaws.com/ [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1125)
My Dockerfile contains the following:
FROM python:3.8-slim
RUN pip install --upgrade pip
COPY requirements.txt .
RUN pip install -r requirements.txt
COPY /src/ /src/
RUN chmod +x /src/main.py
ENTRYPOINT ["python", "/src/main.py"]
Here is my requirements.txt file:
awscli==1.19.50
boto3==1.17.50
botocore==1.20.50
certifi==2020.12.5
cffi==1.14.5
colorama==0.4.3
cryptography==3.4.7
docutils==0.15.2
jmespath==0.10.0
pyasn1==0.4.8
pycparser==2.20
pyOpenSSL==20.0.1
python-dateutil==2.8.1
PyYAML==5.4.1
rsa==4.7.2
s3transfer==0.3.6
six==1.15.0
urllib3==1.26.4
Essentially I'm just trying to retrieve a list of records in DynamoDB. This script works fine locally, but fails inside a Docker container.
Do I have to configure SSL certs? Any help is greatly appreciated!
Thanks, Brian
EDIT: here is the Python code
import boto3
from botocore.exceptions import ClientError
def gen_session_obj(profile_name='dynamodb', region_name='us-west-2'):
return boto3.Session(profile_name=profile_name, region_name=region_name)
def gen_client(session, service):
client = session.resource(service)
return client
class DynamoDbStateStore:
def __init__(self, dynamo_db_resource, table):
self.dynamodb_session = dynamo_db_resource
self.table = self.dynamodb_session.Table(table)
def get_all_records(self, project_expression=''):
try:
if project_expression:
response = self.table.scan(ProjectionExpression=project_expression)
else:
response = self.table.scan()
data = response.get('Items')
while 'LastEvaluatedKey' in response:
if project_expression:
response = self.table.scan(
ExclusiveStartKey=response['LastEvaluatedKey'],
ProjectionExpression=project_expression
)
else:
response = self.table.scan(
ExclusiveStartKey=response['LastEvaluatedKey']
)
data.extend(response['Items'])
except ClientError as e:
print(e.response['Error']['Message'])
raise
return data
if __name__ == '__main__':
session = gen_session_obj()
dynamodb_client = gen_client(session, 'dynamodb')
dynamodb_ss = DynamoDbStateStore(dynamodb_client, 'user_mgr_audit_log')
print(dynamodb_ss.get_all_records())
Try disabling the ssl layer. Before your code add