AWS CodeDeploy Agent Credential should be scoped to a valid region

Question

I registered the instance in the "us-east-1" region to the us-gov-west-1 region and installed codedeploy-agent on the instance, the configured region is us-gov-west-1, ERROR [codedeploy-agent( 17479)]:InstanceAgent::Plugins::CodeDeployPlugin::CommandPoller: Cannot reach InstanceService:Aws::CodeDeployCommand::Errors::InvalidSignatureException - Credential should be scoped to a valid region.

Register command:
ws deploy register-on-premises-instance --instance-name CodeDeployTest --iam-user-arn arn:aws-us-gov:iam::*:user/* --region us-gov-west-1

aws deploy add-tags-to-on-premises-instances --instance-names CodeDeployTest --tags Key=Name,Value=CodeDeployTest --region us-gov-west-1

codedeploy-agent configuration file:
/etc/codedeploy-agent/conf/codedeploy.onpremises.yml
aws_access_key_id:
aws_secret_access_key:
iam_user_arn: arn:aws-us-gov:iam::*:user/*
region: us-gov-west-1

aws configure list
       Name Value Type Location
       ---- ----- ---- --------
    profile  None None
access_key *****************k shared-credentials-file
secret_key *****************v shared-credentials-file
     region us-gov-west-1 config-file ~/.aws/config

Accepted Answer

Hi there!

The part of the error message you shared that I would like to highlight is "Credential should be scoped to a valid region". In our documentation here [[1]](https://docs.aws.amazon.com/IAM/latest/UserGuide/signature-v4-troubleshooting.html#signature-v4-troubleshooting-credential-scope), you will see this error is generally mentioned when the credential scopes region does not match the region of the request.

Looking at the additional details provided I can see the correct region has been defined in the ".aws" "config" file however, please also ensure the correct region has been defined in the "codedeploy.onpremises.yml" as mentioned here [[2]](https://docs.aws.amazon.com/codedeploy/latest/userguide/register-on-premises-instance-iam-user-arn.html#register-on-premises-instance-iam-user-arn-4).

If I understand your context correctly, you created/used an instance present in the "us-east-1" region and scoped it to the "us-gov-west-1" region. Referencing here [[3]](https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/govcloud-differences.html), you will see that credentials cannot be shared between partitions like Govcloud and the standard AWS regions. That means if you were perhaps using standard IAM region credentials, the request would fail. To confirm what principle/user you are performing API calls with, you can make use of the "aws sts get-caller-identity" AWS CLI command.

For further investigation I would recommend reaching out directly to AWS Support.

AWS CodeDeploy Agent Credential should be scoped to a valid region

관련 콘텐츠