Including AWS_SESSION_TOKEN in statistical batch request payload for S3 access with MFA

I am using AWS MFA and when MFA is not enabled, I cannot access S3. I am getting the following error:

{'error': {'status': 400, 'reason': 'Bad Request', 'message': 's3://xxxx/xxxx.gpkg does not exist or is not accessible.', 'code': 'COMMON_BAD_PAYLOAD'}}

I’m trying to use temporary security credentials obtained through AWS’s get-session-token , and including AWS_SESSION_TOKEN in the request payload like this:

def prepare_batch_sta_request_payload(
    evalscript: str,
    input_s3_path: str,
    output_s3_path: str,
    timerange_from: str,
    timerange_to: str,
):
    access_key = os.environ["AWS_ACCESS_KEY_ID"]
    secret_access_key = os.environ["AWS_SECRET_ACCESS_KEY"]
    session_token = os.environ["AWS_SESSION_TOKEN"]
    request_payload = {
        "input": {
            "features": {
                "s3": {
                    "url": input_s3_path,
                    "accessKey": access_key,
                    "secretAccessKey": secret_access_key,
                    "sessionToken": session_token,
                }
            },
            "data": [
                {
                    "type": "sentinel-2-l2a",
                    "dataFilter": {
                        "timeRange": {
                            "from": timerange_from,
                            "to": timerange_to,
                        },
                        "mosaickingOrder": "leastCC",
                        "maxCloudCoverage": 100,
                    },
                }
            ],
        },
        "aggregation": {
            "timeRange": {"from": timerange_from, "to": timerange_to},
            "aggregationInterval": {"of": "P1D"},
            "evalscript": evalscript,
            "resx": 10,
            "resy": 10,
        },
        "output": {
            "s3": {
                "url": output_s3_path,
                "accessKey": access_key,
                "secretAccessKey": secret_access_key,
                "sessionToken": session_token,
            }
        },
    }
    return request_payload

Is it possible to execute the above by including AWS_SESSION_TOKEN in the request payload using the temporary authentication information obtained by get-session-token ?

Hi @Sagri ,

Unfortunately, we do not support parsing the session token to the API as the session lifetime may not be sufficient for the request to complete.

We would recommend using “Assume IAM role”, which is also the recommended workflow by AWS. Please check the access your bucket using assume iam role section for more infomation.

1 Like

Hello, Chung, thank you for your response.
I’ll chek it :slight_smile: