sts get-caller-identity doesn't work on Cloud9 instance deployed in Private Subnet

1

Hi all, on a Cloud9 instance that is deployed in a Private subnet w/ a NAT gateway with SSM access, AWS CLI works except aws sts get-caller-identity . How is this even possible? I was checking AWS CLI connectivity using get-caller-identity but now it fails while other AWS CLI APIs work.

admin:~/environment $ aws s3 ls s3://aws-cloudtrail-logs-*****
                           PRE AWSLogs/
admin:~/environment $ aws sts get-caller-identity

An error occurred (InvalidClientTokenId) when calling the GetCallerIdentity operation: The security token included in the request is invalid

How to reproduce:

  • Create a private subnet in default VPC
  • Create a NAT gateway in a public subnet in default VPC
  • Create a route table allows engress connections to internet
  • Assign the route table to the private subnet that just created
  • Navigate to Cloud9 console, create a Cloud9 instance on the Private subnet with SSM access (not direct access or SSH access)
  • On the Cloud9 console, try aws cli with various commands.
2 Answers
2
Accepted Answer

Hi! This is actually documented [1] expected behavior.

**Important **Currently, if your environment’s EC2 instance is launched into a private subnet, you can't use AWS managed temporary credentials to allow the EC2 environment to access an AWS service on behalf of an AWS entity (an IAM user, for example).

As Cloud9 uses EC2 under the hood you can disable temporary credentials and instead attach an instance profile / role [2]. This will allow you to perform the required actions.

[1] https://docs.aws.amazon.com/cloud9/latest/user-guide/security-iam.html

[2] https://docs.aws.amazon.com/cloud9/latest/user-guide/credentials.html#credentials-temporary

AWS
answered 2 years ago
  • Are we sure that the documentation is up-to-date? Because when I navigate to see the deployed CFN template, here is the part of it:

    {
      "Resources": {
        "Instance": {
          "Type": "AWS::EC2::Instance",
          "Properties": {
            "ImageId": "ami-09b4c0e8425734645",
            "InstanceType": "t2.micro",
            "IamInstanceProfile": "AWSCloud9SSMInstanceProfile",
            "UserData": ".....
    

    So it attaches an instance profile.

    you can't use AWS managed temporary credentials to allow the EC2

    Then how can I run aws s3 ... APIs successfully? In this case, shouldn't I expect all AWS APIs not to work in a private subnet?

  • This applies to certain calls such as STS, you are correct that the instance has a role already attached when you launch with the "Private subnet with SSM access (not direct access or SSH access)" option. However unless you disable temporary credentials in the IDE Cloud9 will still try to use them and not the role.

    Click on the 9 in the top left > Preferences > AWS Settings > Disable "AWS managed temporary credentials"

    That will force Cloud9 to use the role and the aws sts get-caller-identity will now work, however the default role won't have access to other AWS resources defined, so aws s3 ls for example will not work. You will either need to define your own role or attach an appropriate policy.

0
profile pictureAWS
EXPERT
kentrad
answered 2 years ago
  • Good point, I'm in eu-west-1, so no issue with the activation.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions