AWS Lambda boto3 Version - User.Tags missing

January 21, 2019

Wasted a day chasing down this issue, turns out to be a simple cause. Writing it up here to hopefully save others a few hours…

So you want to retrieve an IAM user’s tags inside a Lambda function. Perhaps in a Lambda triggered from a CodeCommit push, that posts a notification to Slack or Microsoft Teams - and the Tag has the user’s full name and email address you want to use in the notification.

So you setup a new AWS IAM user with tags:

Then a python3 Lambda using boto3 to retrieve the tags:

import boto3

def lambda_handler(event, context):
  iam = boto3.client('iam')
  userName = 'jsmith';

  try:
    response = iam.get_user(UserName=userName)
    user = response['User']
    email = None
    if 'Tags' in user:
      for tag in user['Tags']:
        if tag['Key'] == 'Email':
          email = tag['Value']
      if email == None:
        print('get_user.Tags missing Email tag')
      else:
        print('Found user email tag ' + email)
    else:
      print('get_user response missing Tags')
    
  except Exception as e:
    print('ERROR get_user {}'.format(userName))
    print(e)
    raise e

Run and you get: get_user response missing Tags

Hmm…

our IAM user does have tags
boto3 API documentation says get_user returns Tags
but it is not working

Take the Lambda, turn it into a command-line python script by removing the lambda_handler method, and run locally. You get Found user email tag jsmith@example.com.

So it works locally but does not work inside Lambda.

Surely retrieving Tags on a User has been around forever. So I thrash around for a few hours, thinking I am not calling the method correctly, passing the wrong inputs, not handling the output correctly… nothing works. Then I figure I will just double-check the version of boto3 running everywhere.

boto3 documentation website shows the latest version is 1.9.82
local command line pip3 show boto3 shows 1.9.75
Adding this statement to our Lambda function print('boto3 version: ' + boto3.__version__) and running shows 1.9.42

Was get_user returning User.Tags introduced after 1.9.42? You can look at the documentation for older versions by changing latest in the URL to the version you want, so let’s look at the documentation for 1.9.42 at https://boto3.amazonaws.com/v1/documentation/api/1.9.42/

Boom! , User.Tags is not shown in the response. Version 1.9.42 running in Lambda was released November 9, 2018 and does not return User.Tags.

Presumably AWS will upgrade the Lambda version shortly. Thankfully, I can wait. This blog post has some helpful info if you can’t wait and want to run Lambda with your own version of boto3 (or if you use Javascript Lambda see this post).

See Also