Why is my Amazon EC2 instance using IAM user credentials instead of role credentials?

3 minute read

I attached an AWS Identity and Access Management (IAM) role to an Amazon Elastic Compute Cloud (Amazon EC2) instance. However, the Amazon EC2 instance makes API calls with an IAM user instead of an IAM role.

Short description

The AWS Command Line Interface (AWS CLI) uses a set of credential providers to look for AWS credentials in a sequence. The credentials used depends on the order and precedence of the credential providers. For more information, see Configuration and credentials precedence.

Resolution

Find the IAM user ID and location where the IAM user credentials are stored. Then, use the AWS CLI to manage IAM credentials and discard the higher precedence setting.

Note: If you receive errors when running AWS CLI commands, make sure that you're using the most recent version of the AWS CLI.

Find the IAM user ID and get the IAM user credential location

1. Run the get-caller-identity command to verify which IAM credentials are used to make API calls:

aws sts get-caller-identity

You receive an output similar to the following:

{

    "Account": "123456789012", 

    "UserId": "AIDACKCEVSQ6C2EXAMPLE", 

    "Arn": "arn:aws:iam::123456789012:user/ExampleIAMuser"

}

In this example output, the IAM credentials used are the user credentials ExampleIAMuser.

2. Use the --debug option to check the location of the user credentials:

aws s3 ls --debug
2020-03-28 02:04:29,478 - MainThread - botocore.credentials - INFO - Found credentials in shared credentials file: ~/.aws/credentials

In the preceding example output, the IAM user credentials are stored in the .aws/credentials file. Because these credentials have a higher precedence than role credentials, IAM user credentials are used to make API calls.

Use the AWS CLI to manage IAM credentials and discard the higher precedence setting

The following are best practices for managing IAM credentials:

Don't use the --profile option with the AWS CLI.
Unset or remove all environment variables.
For the configure command, delete the credentials file in the .aws/credentials folder. Then, delete the .aws folder to set the instance profile default credentials.
For profiles set up in the .aws/config file, delete the profile. Then, delete the .aws folder.

After you remove the configuration settings, run the get-caller-identity command to verify the IAM role credentials:

aws sts get-caller-identity

{
    "UserId": "AROACKCEVSQ6C2EXAMPLE:i-01773d4a8ed647342",
    "Account": "123456789012",
    "Arn": "arn:aws:sts::123456789012:assumed-role/ExampleInstanceRole/i-01773d4a8ed647342"
}

In the preceding example output, the IAM role ExampleInstanceRole credentials are used.

Topics

Security, Identity, & Compliance Compute

Relevant content

Cli "Unable to locate credentials" on EC2 instance
Frank
asked 2 years ago
How can Hybrid SSM Activation be used to provide IAM credentials to all users
jacobmgn_aws
asked 3 months ago
AWS CLI get rid of credentials file
Accepted Answer
Joann Babak
asked 2 years ago
AWS getSignedUrl using Lambda function's Role policy, instead of provided credentials
Monty
asked 8 months ago
AWS CLI commands after AWS SDK credential store authentication
Accepted Answer
Dan
asked 2 years ago
How can I use my IAM role credentials or switch to another IAM role when connecting to Athena using the JDBC driver?
AWS OFFICIALUpdated 10 months ago
Why can't I run AWS CLI commands on my EC2 instance?
AWS OFFICIALUpdated 2 years ago
How do I use the AWS CLI to get temporary credentials for an IAM Identity Center user?
AWS OFFICIALUpdated 5 months ago
How can I use the AWS CLI to make AssumeRole calls and store temporary user credentials?
AWS OFFICIALUpdated a year ago
vCenter Roles with LDAP credentials in VMware Cloud on AWS
EXPERT
Patrick Kremer
published 6 months ago