Powershell script works on one AWS EC2 instance, but not another. Both use same IAM role

Question

I have a simple Powershell script to upload a file to S3. I have 2 EC2 instances that use the same IAM profile. The instances and S3 bucket all live in the same AWS account.

I RDP into one instance, open Powershell prompt as admin, and the script works. RDP to the other instance, open Powershell prompt as admin, and the script fails with: Write-S3Object : Access Denied

To check networking/routing, both instances can open a browser and surf the web. I assume the credentials used to run are assumed from the role assigned to the instances?

If it matters, this is the ps1 script (access point obfuscated):

$ArtifactFile = "c:\temp\junk1.txt" 
$S3BucketAP = "arn:aws:s3:us-east-1:1234567890:accesspoint/my-s3-ap" 
$Key = "Junk/junk1.txt" 
Write-S3Object -BucketName $S3BucketAP -Key $Key -File $ArtifactFile

And here is the error message:

Write-S3Object : Access Denied
At C:\temp\test1.ps1:4 char:1

Write-S3Object -BucketName $S3BucketAP -Key $Key -File $ArtifactFile

  + CategoryInfo          : NotSpecified: (:) [Write-S3Object], AmazonS3Exception
  + FullyQualifiedErrorId : 
Amazon.S3.AmazonS3Exception,Amazon.PowerShell.Cmdlets.S3.WriteS3ObjectCmdlet

Where else can I look to debug?

Answer 1

On reddit someone suggested I look at environment vars, which got me thinking to check for any profiles. When I dumped the credentials it showed "NetSDKCredentialsFile"

Get-AWSCredential -ListProfileDetail

ProfileName StoreTypeName         ProfileLocation
----------- -------------         ---------------
For_Move    NetSDKCredentialsFile
default     NetSDKCredentialsFile

I found the file here and deleted it: %userprofile%\AppData\Local\AWSToolkit\RegisteredAccounts.json

Everything works as expected now. Must have got installed by accident.