5

I am very new to AWS. I created an IAM role which has full access to S3. I assigned this role to a Windows Server EC2 instance. I then installed CLI on that instance. I then remoted into that instance using RDP, and started a CMD windows, and typed in 

aws s3 ls

It complained that 

Unable to locate credentials. You can configure credentials by running "aws configure".

Now that this EC2 has been assigned the role that has full access to S3, why can't I directly access S3?

  • 3
    You have done everything correctly, so the result is strange. Does the role name appear if you use a web browser on that EC2 instance to go to `http://169.254.169.254/latest/meta-data/iam/security-credentials/`? If so, append the role name to that URL and confirm whether security credentials are shown (eg Access Key & Secret Key). – John Rotenstein Jun 04 '17 at 21:28
  • The request timed out every time –  Jun 06 '17 at 11:10
  • The metadata URL timed out? Do you get anything if you open `http://169.254.169.254/latest/meta-data/` in a browser on the EC2 instance? It's starting to sound like the IAM Role is *not* attached to the instance. – John Rotenstein Jun 06 '17 at 12:22
  • No I got nothing from the browser within the EC2 instance - it timed out. –  Jun 06 '17 at 12:25
  • I double checked the IAM role attached to the EC2: it has AmazonS3FullAccess and AdministratorAccess. –  Jun 06 '17 at 12:36
  • Something sounds very strange on your instance. That URL will work for any Amazon EC2 instance. Try booting up a new instance and you'll see that [instance metadata](http://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ec2-instance-metadata.html) will work. – John Rotenstein Jun 06 '17 at 12:36
  • Remeber it is a Windows Server EC2. I have tried to launched multiple instances from the same AMI. None worked. Shall I create a brand-new instance? –  Jun 06 '17 at 12:38
  • Thank you John Rotenstein for your help. You pointed me to the right direction. I created a new instance from scratch, and everything worked. The previous instance I installed IIS and ASP.NET on it. Would it be possibly the reason? –  Jun 06 '17 at 13:20

3 Answers3

3

To use AWS CLI with IAM Roles, you create a named profile. Instead of configuring this profile with credentials, you specify the ARN of the role and the name of the profile that has access to it.

Ashan
  • 18,898
  • 4
  • 47
  • 67
  • 1
    Thank you Ashan. I will have a look. However in a Linux EC2 what I did will work. Why doesn't it work in Windows Server EC2? –  Jun 04 '17 at 23:37
3

I stumbled across this post. The reason you get this message is because what @John Rotenstein stated, the server can't reach the metadata.

Running aws config list will show that you do not have any credentials as the message states. This means that the server can't the following: 

# 169.254.169.254 is for metadata service
# 169.254.169.250 is for KmsInstanceVpc1
# 169.254.169.251 is for KmsInstanceVpc2

To fix this. It is best to just remove the routes and add them again. 

"169.254.169.254/32", "169.254.169.253/32", "169.254.169.251/32", "169.254.169.250/32", "169.254.169.249/32", "169.254.169.123/32"

Running a aws config list will show that the credentials have been added.

I find that btuanexpress.net script to fix this issue within Windows helps

Zach Olinske
  • 517
  • 2
  • 14
  • This was the only thing that fixed my issue when running on Windows Server 2019. Was finally able to resolve http://169.254.169.254/latest/meta-data/ – Austin Salgat Dec 16 '20 at 21:23
  • Script was a lifesaver after not being able to reach Instance Meta Data – Turk21 May 18 '22 at 10:39
2

Thank you John Rotenstein for your help. You pointed me to the right direction. I created a new instance from scratch, and everything worked. The previous instance I installed IIS and ASP.NET on it. Would it be possibly the reason?

  • You are certainly welcome to install IIS and ASP.NET -- that should not "break" the instance. It's hard to know what might have caused the problem -- but it's often easier to start with a fresh instance and load the software again. In fact, this is the best practice method, since it means you know how to rebuild the instance in future. – John Rotenstein Jun 06 '17 at 23:58
  • I am facing the same problem at present. Please tell me what did you do to get rid of the problem. – shivams Apr 06 '18 at 09:45