Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

aws ec2 unable to locate credentials

0

I've started an instance with an instance-profile DataScientist. The instance profile contains an AWSReservedSSO role, not a regular IAM role.

The problem is that when I log in to the instance and try any aws command I get: Unable to locate credentials. You can configure credentials by running "aws configure".

I've successfully passed and used IAM roles on EC2 before. Why is this not working? Am I trying to do something that is not supported?

I edited the instance profile manually with aws iam add-role-to-instance-profile. The instance profile looks something like this:

{
    "InstanceProfile": {
        "Path": "/",
        "InstanceProfileName": "DataScientist",
        "Arn": "arn:aws:iam:::instance-profile/DataScientist",
        "Roles": [
            {
                "Path": "/aws-reserved/sso.amazonaws.com/us-west-2/",
                "RoleName": "AWSReservedSSO_DataScientist_abcdef",
                "Arn": "arn:aws:iam:::role/aws-reserved/sso.amazonaws.com/us-west-2/AWSReservedSSO_DataScientist_abcdef"
            }
        ]
    }
}

I can even see the role and my instance with aws ec2 describe-iam-instance-profile-associations.

Topics
ComputeSecurity, Identity, & Compliance
Tags
AWS IAM Identity CenterAmazon EC2IAM Roles Anywhere
Language
English
asked 10 months ago239 views
2 Answers
0
Accepted Answer

Hello You can follow these steps to get solution:

The user is trying to use an AWS SSO role directly on an EC2 instance, which won't work. SSO roles are for users, not instances. EC2 instances need a regular IAM role.

Solution: Create a new IAM role: This role will be specifically for the EC2 instance (e.g., DataScientistInstanceRole).

**Grant permissions: **Attach the necessary IAM policies to this new role. These policies should define what the instance is allowed to do (e.g., access S3, etc.). You might need to mirror the permissions from the SSO role, but only grant the minimum necessary permissions.

Update the instance profile: The instance profile (DataScientist in the question) needs to be updated. Remove the SSO role (AWSReservedSSO_DataScientist_abcdef) and add the newly created IAM role (DataScientistInstanceRole).

Reboot the instance: This makes the changes to the instance profile take effect. =>Why this works: EC2 instances use IAM roles to get credentials. SSO roles are a different type of role meant for users logging in via SSO. By creating a regular IAM role and associating it with the instance profile, the instance can get the credentials it needs to interact with AWS services.

=>Alternative (for interactive access): If the main goal is to log into the instance, AWS Systems Manager (SSM) Session Manager is a better approach. It lets you connect to instances without SSH keys or open ports, and it uses an IAM role behind the scenes.

EXPERT
answered 10 months ago
EXPERT
reviewed 10 months ago
  • gaebor
    10 months ago

    Thanks, that is a much more detailed explanation, although the first answer was satisfactory too.

0

Hello.

Is the "AWSReservedSSO_DataScientist_abcdef" trust policy configured to allow EC2 to use the IAM role?
Judging from the name of the IAM role, it is an IAM role used by IAM Identity Center users, so I don't think the trust policy is set to allow EC2 to use it.
I recommend creating an IAM role for EC2 instead of using "AWSReservedSSO_DataScientist_abcdef".

Please refer to the YouTube video below to set it up.
https://www.youtube.com/watch?v=2m4_AdKbSY4

EXPERT
answered 10 months ago
EXPERT
reviewed 10 months ago
  • gaebor
    10 months ago

    Thanks, that answers my suspicion: Ec2 is not added in the thrust policy, nor can I edit it myself. So that makes it impossible to do such a transfer of roles.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content