I tried to get AWS Identity and Access Management (IAM) credentials from the Amazon Elastic Compute Cloud (Amazon EC2) Instance Metadata Service (IMDS). However, I got an error and I want to troubleshoot this issue.
Short description
You might receive the error "Unable to get IAM security credentials from EC2 instance metadata service" if one of these situations occurs:
- The metadata isn't accessible from the Amazon EC2 instance.
- The instance profile role isn't attached to the Amazon EC2 instance.
Resolution
Follow these steps to check the instance profile association and metadata availability.
Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you're using the most recent AWS CLI version.
Check the instance profile association
-
Run the AWS CLI command describe-iam-instance-profile-associations:
aws ec2 describe-iam-instance-profile-associations --filters Name=instance-id,Values=i-012345678910abcde
-
If the state of the association isn't "associated", then disassociate it with this command:
aws ec2 disassociate-iam-instance-profile --association-id iip-assoc-1234567890
-
Attach the instance profile with this command:
aws ec2 associate-iam-instance-profile --iam-instance-profile Name=EXAMPLEPROFILENAME --instance-id i-012345678910abcde
For more information, see How do I attach or replace an instance profile on an Amazon EC2 instance?
Check metadata availability
-
(IMDSv1 only) To check metadata availability for IMDSv1 instances, run this Windows PowerShell command:
Invoke-RestMethod -uri http://169.254.169.254/latest/meta-data/iam/security-credentials/
-
(IMDSv2 only) To check metadata availability for IMDSv2 instances, run this Windows PowerShell command:
[string]$token = Invoke-RestMethod -Headers @{"X-aws-ec2-metadata-token-ttl-seconds" = "21600"} -Method PUT -Uri http://169.254.169.254/latest/api/token
Invoke-RestMethod -Headers @{"X-aws-ec2-metadata-token" = $token} -Method GET -Uri http://169.254.169.254/latest/meta-data/iam/security-credentials/
-
If the metadata isn't accessible, run the route print command from PowerShell or CMD. Review the output to confirm if there is a route similar to this:
Network Address Netmask Gateway Address
169.254.169.254 255.255.255.255 <Subnet Router Address>
-
If the routes aren't present, then add routes for the instance from PowerShell or CMD:
route -p ADD 169.254.169.249 MASK 255.255.255.255 [Gateway IP] Metric 25
route -p ADD 169.254.169.250 MASK 255.255.255.255 [Gateway IP] Metric 25
route -p ADD 169.254.169.251 MASK 255.255.255.255 [Gateway IP] Metric 25
route -p ADD 169.254.169.253 MASK 255.255.255.255 [Gateway IP] Metric 25
route -p ADD 169.254.169.254 MASK 255.255.255.255 [Gateway IP] Metric 25
route -p ADD 169.254.169.123 MASK 255.255.255.255 [Gateway IP] Metric 25
-
Check if a proxy server is configured from PowerShell or CMD:
Netsh winhttp show proxy
[System.Net.WebRequest]::DefaultWebProxy
-
If a proxy server is configured, then bypass the metadata IP address to allow access from PowerShell or CMD:
setx NO_PROXY 169.254.169.254
Related information
Why does my Amazon EC2 Windows instance generate a "Waiting for the metadata service" error?
Retrieve instance metadata
Instance metadata and user data