Why can't I run AWS CLI commands on my EC2 instance?
Last updated: 2021-05-10
Why am I receiving errors while trying to run AWS Command Line Interface (AWS CLI) commands on my Amazon Elastic Compute Cloud (Amazon EC2) instance?
When running AWS CLI commands on your instance, you might see one of the following error messages:
- "Unable to locate credentials. You can configure credentials by running 'aws configure'"
- "An error occurred (UnauthorizedOperation) when calling the DescribeInstances operation: You are not authorized to perform this operation"
- "An error occurred (AuthFailure) when calling the DescribeInstances operation: AWS was not able to validate the provided access credentials"
- "An error occurred (ExpiredToken) when calling the GetCallerIdentity operation: The security token included in the request is expired"
The operation listed in the error varies depending on the operation that you called when the error occurred. In the preceding examples, the errors occurred when calling the DescribeInstances and GetCallerIdentity operations.
Note: For communication issues between the AWS CLI and one of the AWS service endpoints, confirm that the DNS resolution and any VPC endpoints work correctly. For more information, see the following:
Verify that you're running the most recent AWS CLI version
If you receive errors when running AWS CLI commands, make sure that you’re using the most recent version of the AWS CLI.
Unable to locate credentials
An error occurred (UnauthorizedOperation) and (AuthFailure)
- Make sure that the AWS Identity and Access Management (IAM) role or IAM user has the correct permissions to run the relevant commands. For instructions on how to do this, see Why am I receiving the error message "You are not authorized to perform this operation" when I try to launch an EC2 instance?
- Make sure that the time on your Linux or Windows instance is correct.
- Make sure that you're using the correct Amazon Simple Token Service (AWS STS) token format. For more information, see Why did I receive the IAM error "AWS was not able to validate the provided access credentials" in some AWS Regions?
- Make sure that you're using the correct credentials to make the API call. If there are multiple sets of credentials on the instance, credential precedence might affect which credentials the instance uses to make the API call. Verify which set of credentials you're using by running the aws sts get-caller-identity command. For more information, see Why is my Amazon EC2 instance using IAM user credentials instead of role credentials?
An error occurred (ExpiredToken)
Temporary credentials expire at the time interval specified during creation. If the credentials for your IAM role are expired, obtain a new STS token by assuming a new IAM role.