-1

I am creating a EC2 instnace through a script such like:

  const instanceParams: EC2.Types.RunInstancesRequest = {
      ImageId: AWSImageIDs.AmazonLinux_arm64,
      InstanceType: 't4g.nano',
      MinCount: 1,
      MaxCount: 1,
      UserData: userData,
      SubnetId: SubnetIds.QA1,
      IamInstanceProfile: {Arn: INSTANCE_PROFILE_ARN},
      SecurityGroupIds: [SecurityGroupIds.QA_AllowTraffic],
    };
  const instance = await new EC2({apiVersion: '2016-11-15'})
    .runInstances(instanceParams)
    .promise()

It creates the instance just fine. When I got to EC2 through the AWS Console, I see the instance, and I see the role for the instance profile attached to the instance. The role has the S3FullAccessPolicy attached.

However when I run aws configure list it returns:

profile                <not set>             None    None

Expectedly aws s3 commands fail with unable to locate credentials. I'm not sure why the instance doesn't believe the profile is attached, when the AWS Console does?

Nathanael
  • 954
  • 3
  • 19
  • 39
  • What is `aws-cli`? Do you mean `aws`? – John Rotenstein Nov 06 '22 at 20:43
  • Profiles are a function of having credentials stored locally via the `aws configure` command (which stores information in the `~/.aws/credentials` file. There is no concept of a 'profile' when using an IAM Role associated with an Amazon EC2 instance. So, don't worry about the 'profile' stuff, but `aws s3 ls` should be able to find credentials. – John Rotenstein Nov 06 '22 at 20:44
  • 1
    Instance credentials are not added to the profile / cli config. They are added as metadata which is part of the credential provider chain. See https://stackoverflow.com/a/44683913/2442804 - a `curl http://169.254.169.254/latest/meta-data/iam/security-credentials/nameOfTheAttachedRole` should show you some temporary credentials. The go-to command to run to determine if and which role is attached is `aws sts get-caller-identity`. – luk2302 Nov 06 '22 at 20:49
  • @JohnRotenstein yes sorry aws not aws-cli. aws s3 ls returns the same error: Unable to locate credentials. You can configure credentials by running "aws configure". – Nathanael Nov 06 '22 at 21:45
  • @luk2302 the meta-data shows the (correct) attached profile instance (under `iam/info`). I have no `meta-data/iam/security-credentials`. The command you mentioned gives the same "unable to locate credentials" error listed in the message above. – Nathanael Nov 06 '22 at 21:48
  • What is the Trust Policy in the IAM Role that you attached? – John Rotenstein Nov 06 '22 at 22:20
  • "Effect": "Allow", "Principal": { "Service": "s3.amazonaws.com" }, "Action": "sts:AssumeRole" @JohnRotenstein – Nathanael Nov 07 '22 at 01:53
  • 1
    Recommend that you build these things in the AWS console first, and then see what that resulted in (e.g. the trust policy). – jarmod Nov 07 '22 at 02:29

1 Answers1

2

The Trust Policy is incorrect.

The policy needs to grant permission to the Amazon EC2 server to assume the role.

For example:

{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "Service": "ec2.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

This is saying that the EC2 service can call AssumeRole on this instance. The EC2 service does this to obtain credentials to pass to the instance via metadata.

Since your current Trust Policy only allows the Amazon S3 service to assume the role, the EC2 service cannot generate credentials.

Note that the actual IAM Role might be granting permission to access S3, but if the IAM Role is being assigned to an EC2 instance, the Trust Policy must allow the EC2 service to use it.

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470