Question - mocking dynamodb results in "The security token included in the request is invalid."

[kferenc3]

Hi!

I'm new to moto so apologies if this is trivial. I am trying to mock dynamodb, but running into authorization problems. I am fairly sure it is an environment issue, but can't figure out what exactly I am doing wrong.

Here is the relevant part of the test script:

import moto
import pytest
import boto3
import os
from streamlit_app.config_elements import ProjectConfig

@pytest.fixture(scope='module')
def aws_credentials():
    """Mocked AWS Credentials for moto."""
    os.environ["AWS_ACCESS_KEY_ID"] = "testing"
    os.environ["AWS_SECRET_ACCESS_KEY"] = "testing"
    os.environ["AWS_SECURITY_TOKEN"] = "testing"
    os.environ["AWS_SESSION_TOKEN"] = "testing"
    os.environ["AWS_DEFAULT_REGION"] = "eu-west-1"
    print("AWS credentials set")

@pytest.fixture(scope='class', autouse=True)
def mock_dynamodb(aws_credentials):
    with moto.mock_aws():
        session = boto3.Session(
            profile_name='moto',
            aws_access_key_id='testing',
            aws_secret_access_key='testing',
            aws_session_token='testing',
            region_name='eu-west-1'
        )
        db = session.resource('dynamodb', region_name='eu-west-1')
        table = db.create_table(
            TableName='Project',
            KeySchema=[
            {'AttributeName': 'project_folder', 'KeyType': 'HASH'},
            {'AttributeName': 'sort_key', 'KeyType': 'RANGE'}],
        AttributeDefinitions=[
            {'AttributeName': 'project_folder','AttributeType': 'S'},
            {'AttributeName': 'sort_key','AttributeType': 'S'}],
        ProvisionedThroughput={'ReadCapacityUnits': 1,'WriteCapacityUnits': 1})
        table.wait_until_exists()
    yield db.Table('Project')

The mock_dynamodb function was iterated quite a lot. I tried to use boto3.resource.Table, also tried to create a session, passing it the credentials directly and then create the table, but no luck.
The ProjectConfig class receives a boto3.resource('dynamodb').Table instance as an argument so I don't think this is an import issue. The config class doesn't set up any clients just uses whatever it receives. As you can see I am setting up the mock credentials, but regardless whenever I am running my tests I receive:
An error occurred (UnrecognizedClientException) when calling the Scan operation: The security token included in the request is invalid.

I should probably mention I use VsCode with an AWS plugin. I also set up a "moto" profile with with dummy credentials and tried to use that profile, but same result.
I am using python 3.12.1. The project dependencies from pyproject.toml are the following:

dependencies = [
    "streamlit (>=1.41.1,<2.0.0)",
    "dynamodb-json (>=1.4.2,<2.0.0)",
    "pytest (>=8.3.4,<9.0.0)",
    "pytest-cov (>=6.0.0,<7.0.0)",
    "boto3 (>=1.36.16,<2.0.0)",
    "moto[dynamodb,s3] (>=5.0.28,<6.0.0)"
]```

[bblommers]

Hi @kferenc3, I'm not able to reproduce this I'm afraid - but this is typically an import order issue. See the full documentation here: https://docs.getmoto.org/en/latest/docs/getting_started.html#what-about-those-pesky-imports

Two tips, to summarize the docs:

1. Try to move from moto import mock_aws to the top, to ensure it is imported before any boto3-clients are instantiated
2. Try to patch the client manually to apply the mock

[kferenc3]

I tried moving the imports and pathing the resource, but no luck. I get the exact same result. Unfortunately I won't be able to test this further for a while. Hopefully my colleagues will have better luck with this.

@pytest.fixture(scope='module')
def aws_credentials():
    """Mocked AWS Credentials for moto."""
    # session = boto3.session.Session(profile_name='default')
    # os.environ["AWS_PROFILE"] = "testing"
    os.environ["AWS_ACCESS_KEY_ID"] = "testing"
    os.environ["AWS_SECRET_ACCESS_KEY"] = "testing"
    os.environ["AWS_SECURITY_TOKEN"] = "testing"
    os.environ["AWS_SESSION_TOKEN"] = "testing"
    os.environ["AWS_DEFAULT_REGION"] = "eu-west-1"
    print("AWS credentials set")

@pytest.fixture(scope='class', autouse=True)
def mock_dynamodb(aws_credentials):
    with mock_aws(config={"core":{"mock_credentials":True}}):
        os.environ["AWS_ACCESS_KEY_ID"] = "testing"
        os.environ["AWS_SECRET_ACCESS_KEY"] = "testing"
        os.environ["AWS_SECURITY_TOKEN"] = "testing"
        os.environ["AWS_SESSION_TOKEN"] = "testing"
        os.environ["AWS_DEFAULT_REGION"] = "eu-west-1"
        
        db = boto3.resource('dynamodb', region_name='eu-west-1')
        table = db.create_table(
            TableName='Project',
            KeySchema=[
            {'AttributeName': 'project_folder', 'KeyType': 'HASH'},
            {'AttributeName': 'sort_key', 'KeyType': 'RANGE'}],
        AttributeDefinitions=[
            {'AttributeName': 'project_folder','AttributeType': 'S'},
            {'AttributeName': 'sort_key','AttributeType': 'S'}],
        ProvisionedThroughput={'ReadCapacityUnits': 1,'WriteCapacityUnits': 1})
        table.wait_until_exists()
    yield db.Table('Project')

class TestProjectConfig:
    
    @pytest.fixture(scope='class')    
    def project_config(self, mock_dynamodb):
        from moto.core import patch_client, patch_resource
        from cdfp_streamlit.config_elements import ProjectConfig
        db_table = mock_dynamodb
        patch_resource(db_table)
        return ProjectConfig('test_project_folder', db_table)._ProjectConfig__generate_response('project')