By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

AWS CodeDeploy Agent Credential should be scoped to a valid region

1

I registered the instance in the "us-east-1" region to the us-gov-west-1 region and installed codedeploy-agent on the instance, the configured region is us-gov-west-1, ERROR [codedeploy-agent( 17479)]:InstanceAgent::Plugins::CodeDeployPlugin::CommandPoller: Cannot reach InstanceService:Aws::CodeDeployCommand::Errors::InvalidSignatureException - Credential should be scoped to a valid region.

Register command: ws deploy register-on-premises-instance --instance-name CodeDeployTest --iam-user-arn arn:aws-us-gov:iam:::user/ --region us-gov-west-1

aws deploy add-tags-to-on-premises-instances --instance-names CodeDeployTest --tags Key=Name,Value=CodeDeployTest --region us-gov-west-1

codedeploy-agent configuration file: /etc/codedeploy-agent/conf/codedeploy.onpremises.yml aws_access_key_id: aws_secret_access_key: iam_user_arn: arn:aws-us-gov:iam:::user/ region: us-gov-west-1

aws configure list Name Value Type Location ---- ----- ---- -------- profile <not set> None None access_key *****************k shared-credentials-file secret_key *****************v shared-credentials-file region us-gov-west-1 config-file ~/.aws/config

Topics
Developer ToolsSecurity, Identity, & Compliance
Tags
AWS CodeDeployIAM Policies
Language
English
DD-Boom
asked 8 months ago335 views
1 Answer
0
Accepted Answer

Hi there!

The part of the error message you shared that I would like to highlight is "Credential should be scoped to a valid region". In our documentation here [1], you will see this error is generally mentioned when the credential scopes region does not match the region of the request.

Looking at the additional details provided I can see the correct region has been defined in the ".aws" "config" file however, please also ensure the correct region has been defined in the "codedeploy.onpremises.yml" as mentioned here [2].

If I understand your context correctly, you created/used an instance present in the "us-east-1" region and scoped it to the "us-gov-west-1" region. Referencing here [3], you will see that credentials cannot be shared between partitions like Govcloud and the standard AWS regions. That means if you were perhaps using standard IAM region credentials, the request would fail. To confirm what principle/user you are performing API calls with, you can make use of the "aws sts get-caller-identity" AWS CLI command.

For further investigation I would recommend reaching out directly to AWS Support.

AWS
Luke_R
answered 8 months ago
profile picture
EXPERT
Sedat Salman
reviewed 6 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content