Unable to load credentials using IAM

0
votes

I got a problem using IAM roles.

I launched instances using Cloudformation template where i specified my role and policies to access s3 bucket and other amazon resources. After launching the script successfully fetches required resources from s3.

However I've launched my downloaded scripts that use boto3 as sdk and i got an error; Boto failed to load credentials (as I understand it can load credentials either from aws credentials files or from IAM role.

Then I run aws s3 ls to check the problem and also got the same problem. Also I tested my role using policysim (S3ListAllMyBucketsnot, S3ListAllMyBucketsnot) and figured out that everything is okay.

Amazon S3ListBucketnot required * allowed 1 matching statements. Amazon S3ListAllMyBucketsnot required * allowed 1 matching statements.

It should be noted that I've played around with cloudformation the whole day and launched pretty must instances (but shutdown them). Could it be a limitation issue?

Any solutions?

1
amazon-web-servicesamazon-ec2amazon-iam
Do you have environment variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY set? Check my answer in: stackoverflow.com/questions/41621353/…helloV

1 Answers

2
votes

To confirm that the Role is correctly providing credentials to the Amazon EC2 instance, run this command on the instance:

curl http://169.254.169.254/latest/meta-data/iam/security-credentials/

It should show the name of the role assigned to the instance.

Then try this, inserting the role name:

curl http://169.254.169.254/latest/meta-data/iam/security-credentials/<ROLE-NAME>/

You should be presented with temporary credentials similar to this:

{
  "Code" : "Success",
  "LastUpdated" : "2017-04-26T16:39:16Z",
  "Type" : "AWS-HMAC",
  "AccessKeyId" : "AKIAIOSFODNN7EXAMPLE",
  "SecretAccessKey" : "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
  "Token" : "token",
  "Expiration" : "2017-04-27T22:39:16Z"
}

If so, then boto will be able to automatically access those credentials.

Whenever something strange happens with boto, it's always a good idea to make sure it is updated to the latest version. This updates boto, boto3 and the AWS Command-Line Interface (CLI):

sudo /usr/local/bin/pip install boto --upgrade
sudo /usr/local/bin/pip install boto3 --upgrade
sudo /usr/local/bin/pip install awscli --upgrade