The attached additional IAM role conflicts with the specified IAM credentials and AWS region


I have an EC2 instance in us-east-1 in US East (N. Virginia). The EC2 instance is attached with an IAM role (us-east-1 region) that has permission to run codedeploy. Now you need to run the CloudWatch log agent and codedeploy agent. CloudWatch log agent uploads logs to cloudwatch of us-gov-West-1. It requires configuring AWS CLI credentials. Modify the "/root/.aws/credentials" file to specify the IAM credentials and AWS region (us-gov-West-1), but codedeploy The agent needs to delete the "/root/.aws/credentials" file to connect to the console's codedeploy for deployment. How can I resolve this conflict?

After configuring other credentials in /root/.aws/credentials, the codedeploy agent reported an error:

ERROR [codedeploy-agent(2433386)]: InstanceAgent::Plugins::CodeDeployPlugin::CommandPoller: Cannot reach InstanceService: Aws::CodeDeployCommand: :Errors::UnrecognizedClientException - The security token included in the request is invalid.

/root/.aws/credentials Without adding CloudWatch-related credentials, logs cannot be uploaded to CloudWatch in us--gov-west

1 Answer

There are two approaches you can use here:

  1. Role Chaining.

Here you allow one role to assume another role.

One role attached to EC2 that has CloudWatch permissions. Another role with CodeDeploy permissions. Then you allow CloudWatch Role to assume CodeDeploy Role so that you can inherit the credentials within the EC2 instance and achieve your objective

You can read more about role chaining here [+] Roles terms and concepts -

  1. You can use one role for the EC2 instance and use environment variables within the instance to set the credentails for CodeDeploy. To learn more about setting environment variables, check the below article

[+] Environment variables to configure the AWS CLI -

That being said, to further look into this issue more closely, if you would like to do a resource based troubleshooting, please raise a support case with AWS for further information. If a support case has already been created please be assured that we will get back to you and assist you in the best way possible.

answered 5 months ago
  • EC2 instances can only be attached to one role. I have opened the permissions of codedeploy and cloudwatch for this role, but I still cannot configure the credentials and modify the "/root/.aws/credentials" file. After modifying the "/root/.aws/credentials" file codedeploy The agent will report an error.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions