I have attached an EC2 role to the instance , to my EC2 instance and I am running my AWS JAVA SDK . When I am trying to load the credentials this way :
InstanceProfileCredentialsProvider instanceCred = new InstanceProfileCredentialsProvider();
I am getting the following error :
Exception in thread "main" com.amazonaws.AmazonClientException: Unable to load credentials.
at com.amazonaws.auth.InstanceProfileCredentialsProvider.loadCredentials(InstanceProfileCredentialsProvider.java:195)
at com.amazonaws.auth.InstanceProfileCredentialsProvider.getCredentials(InstanceProfileCredentialsProvider.java:124)
Can any suggest what I might be missing?
I was able to get around it by running the code from my EC2 instance and enhancing my code , here is the code :
String arn = "arn:aws:iam::"+accountnumber+":role/My-CrossAccount-CustomRole-ReadOnly";
InstanceProfileCredentialsProvider instanceCred = new InstanceProfileCredentialsProvider();
stscred = new STSAssumeRoleSessionCredentialsProvider(instanceCred.getCredentials(),arn,"123",clientConfiguration);
Make sure you have "sts:AssumeRole" in your role actions .
Related
I have an ECS task that runs an image build from Amazon Linux.
container_pull(
name = "amazonlinux",
registry = "registry.hub.docker.com",
repository = "library/amazonlinux",
tag = "2022.0.20220315.0",
digest = "sha256:c74e77c670519cd69e3f5ce3fa714c02c582a40d786dd7e97113e717e7655e4d",
)
However when I run the image on ECS and try to perform an operation on S3, I get this error:
Unable to get IAM security credentials from EC2 Instance Metadata Service.
This surprises me because I thought the image would contain the necessary services to communicate with ECS and obtain IAM credentials.
The role has permissions s3:PutObject and s3:GetObject.
How do I gain access to S3 inside my image?
Note I do not want to pass AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables if I can help it.
The issue was that I had not assigned a Task Role (I had only assigned an Execution Role).
The Task Role has permission to access S3.
My Python application is deployed in a docker container on an EC2 instance. Passwords are stored in secrets manager. During runtime, application will make an API call to secrets manager to fetch the password and connect. Since we recreated the instance, it started giving out below error -
botocore.exceptions.NoCredentialsError: Unable to locate credentials
My application code is -
session = boto3.session.Session()
client = session.client(service_name = 'secretmanager', region_name = 'us-east-1')
get_secret_value_response = client.get_secret_value(secretId = secret_name)
If I run -
aws secretmanager get-secret-value --secret-id abc
It works without any issues since IAM policy is appropriately attached to the EC2 instance.
I spent the last 2 days trying to troubleshoot this but am still stuck with no clarity on why this is breaking. Any tips or guidance would help.
The problem was with the HTTPToken variable in the instance metadata options which was defaulted to required with the fresh update. Reverted it back to optional and boto3 is now able to make an API call for instance meta data and inherit its roles.
Intermittently getting the following error while running aws glue job,
Error downloading script: fatal error: An error occurred (404) when calling the HeadObject operation:
Not sure why it would be intermittent, but this is likely an issue connecting to S3. A few things to check:
Glue Jobs run with an IAM role. You can check your Job details to see what it's currently set to. You should make sure that role has privileges to access the S3 bucket that has your job code in it.
Glue Jobs require a VPC endpoint. You should check to make sure that you have one properly created for the VPC you're using
It is possible to configure a VPC endpoint without associating it with any subnets. Check your VPC Endpoint for the correct routing.
Below is a bit of reference code written with AWS CDK, in case it's helpful
IAM Role
new iam.Role(this, `GlueJobRole`, {
assumedBy: new iam.ServicePrincipal(`glue.amazonaws.com`),
managedPolicies: [
iam.ManagedPolicy.fromAwsManagedPolicyName(
`service-role/AWSGlueServiceRole`
),
],
});
VPC Endpoint
const vpc = ec2.Vpc.fromLookup(this, `VPC`, { vpcId: VPC_ID });
new ec2.GatewayVpcEndpoint(this, `S3VpcEndpoint`, {
service: ec2.GatewayVpcEndpointAwsService.S3,
subnets: vpc.publicSubnets,
vpc,
});
May be your bucket is enabled customer managed key. You need to add Glue role to kms to fixed this issue.
By googling, I found this tutorial on accessing S3 from EC2 instance without credential file. I followed its instructions and got the desired instance. The aws web console page looks like
However, I don't want to do it manually using the web console every time. How can I create such EC2 instances using boto3?
I tried
s = boto3.Session(profile_name='dev', region_name='us-east-1')
ec2 = s.resource('ec2')
rc = ec2.create_instances(ImageId='ami-0e297018',
InstanceType='t2.nano',
MinCount=1,
MaxCount=1,
KeyName='my-key',
IamInstanceProfile={'Name': 'harness-worker'},
)
where harness-worker is the IAM role with access to S3, but nothing else.
It is also used in the first approach with the aws web console tutorial.
Then I got error saying
ClientError: An error occurred (UnauthorizedOperation) when calling
the RunInstances operation: You are not authorized to perform this
operation.
Did I do something obviously wrong?
The dev profile has AmazonEC2FullAccess. Without the line IamInstanceProfile={'Name': 'harness-worker'},, create_instances is able to create instance.
To assign an IAMProfile to an instance, AmazonEC2FullAccess is not sufficient. In addition, you need the following privilege to pass the role to the instance.
See: Granting an IAM User Permission to Pass an IAM Role to an Instance
{
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "*"
}
First you can give full IAM access to your dev profile and see it works. Then remove full IAM access and give only iam:PassRole and try again.
This has nothing to do with the role you are trying to assign the new EC2 instance. The Python script you are running doesn't have the RunInstances permission.
i am getting the below error while creating an instance in AWS through eclipse.
exception in thread "main" com.amazonaws.AmazonClientException: Unable to load AWS credentials from any provider in the chain
at com.amazonaws.auth.AWSCredentialsProviderChain.getCredentials(AWSCredentialsProviderChain.java:117)
at com.amazonaws.services.opsworks.AWSOpsWorksClient.invoke(AWSOpsWorksClient.java:3574)
at com.amazonaws.services.opsworks.AWSOpsWorksClient.createInstance(AWSOpsWorksClient.java:2098)
at AwsConsoleApp.main(AwsConsoleApp.java:154)
my code reads:
String az=new String("ec2.us-east-1.amazonaws.com");
cir.setAvailabilityZone(az);
String ami_id=new String("ami-864d84ee");
cir.setAmiId(ami_id);
CreateInstanceResult cr=awoc.createInstance(cir);
please hep me on this.
Looks like you need to provide your credentials to access your AWS account:
http://docs.aws.amazon.com/AWSSdkDocsJava/latest/DeveloperGuide/credentials.html