By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How do I troubleshoot issues when I try to get IAM credentials from an EC2 Instance Metadata Service?

3 minute read
0

I tried to get AWS Identity and Access Management (IAM) credentials from the Amazon Elastic Compute Cloud (Amazon EC2) Instance Metadata Service (IMDS). However, I got an error and I want to troubleshoot this issue.

Short description

You might receive the error "Unable to get IAM security credentials from EC2 instance metadata service" if one of these situations occurs:

  • The metadata isn't accessible from the Amazon EC2 instance.
  • The instance profile role isn't attached to the Amazon EC2 instance.

Resolution

Follow these steps to check the instance profile association and metadata availability.

Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you're using the most recent AWS CLI version.

Check the instance profile association

  1. Run the AWS CLI command describe-iam-instance-profile-associations:

    aws ec2 describe-iam-instance-profile-associations --filters Name=instance-id,Values=i-012345678910abcde

  2. If the state of the association isn't "associated", then disassociate it with this command:

    aws ec2 disassociate-iam-instance-profile --association-id iip-assoc-1234567890

  3. Attach the instance profile with this command:

    aws ec2 associate-iam-instance-profile --iam-instance-profile Name=EXAMPLEPROFILENAME --instance-id i-012345678910abcde

For more information, see How do I attach or replace an instance profile on an Amazon EC2 instance?

Check metadata availability

  1. (IMDSv1 only) To check metadata availability for IMDSv1 instances, run this Windows PowerShell command:

    Invoke-RestMethod -uri http://169.254.169.254/latest/meta-data/iam/security-credentials/

  2. (IMDSv2 only) To check metadata availability for IMDSv2 instances, run this Windows PowerShell command:

    [string]$token = Invoke-RestMethod -Headers @{"X-aws-ec2-metadata-token-ttl-seconds" = "21600"} -Method PUT -Uri http://169.254.169.254/latest/api/token

Invoke-RestMethod -Headers @{"X-aws-ec2-metadata-token" = $token} -Method GET -Uri http://169.254.169.254/latest/meta-data/iam/security-credentials/

  3. If the metadata isn't accessible, run the route print command from PowerShell or CMD. Review the output to confirm if there is a route similar to this:

    Network Address        Netmask             Gateway Address
169.254.169.254        255.255.255.255     <Subnet Router Address>

  4. If the routes aren't present, then add routes for the instance from PowerShell or CMD:

    route -p ADD 169.254.169.249 MASK 255.255.255.255 [Gateway IP] Metric 25
route -p ADD 169.254.169.250 MASK 255.255.255.255 [Gateway IP] Metric 25
route -p ADD 169.254.169.251 MASK 255.255.255.255 [Gateway IP] Metric 25
route -p ADD 169.254.169.253 MASK 255.255.255.255 [Gateway IP] Metric 25
route -p ADD 169.254.169.254 MASK 255.255.255.255 [Gateway IP] Metric 25
route -p ADD 169.254.169.123 MASK 255.255.255.255 [Gateway IP] Metric 25

  5. Check if a proxy server is configured from PowerShell or CMD:

    Netsh winhttp show proxy
[System.Net.WebRequest]::DefaultWebProxy

  6. If a proxy server is configured, then bypass the metadata IP address to allow access from PowerShell or CMD:

    setx NO_PROXY 169.254.169.254

Related information

Why does my Amazon EC2 Windows instance generate a "Waiting for the metadata service" error?

Retrieve instance metadata

Instance metadata and user data

Topics
Compute
Tags
Amazon EC2Windows
Language
English
AWS OFFICIAL
AWS OFFICIALUpdated 8 months ago
No comments

Relevant content