Why is my Amazon EC2 instance using IAM user credentials instead of role credentials?

Last updated: 2020-06-12

I attached an AWS Identity and Access Management (IAM) role to an Amazon Elastic Compute Cloud (Amazon EC2) instance. However, the Amazon EC2 instance makes API calls with an IAM user instead of an IAM role.

Short Description

The AWS Command Line Interface (AWS CLI) uses a set of credential providers to look for AWS credentials in a sequence. The credentials used depends on the order and precedence of the credential providers. For more information, see Configuration Settings and Precedence.

Resolution

Follow the instructions to find the IAM user ID and location of where the IAM user credentials are stored. Then, use the AWS CLI to manage IAM credentials and discard the higher precedence setting.

Find the IAM user ID and get the IAM user credential location

1.    Run the following get-caller-identity command to verify which IAM credentials are used to make API calls:

aws sts get-caller-identity

You receive an output similar to the following:

{

    "Account": "123456789012", 

    "UserId": "AIDACKCEVSQ6C2EXAMPLE", 

    "Arn": "arn:aws:iam::123456789012:user/ExampleIAMuser"

}

In this example output, the IAM credentials used are of the ExampleIAMuser.

2.    Use the --debug option to check the location of the user credentials similar to the following:

aws s3 ls --debug
2020-03-28 02:04:29,478 - MainThread - botocore.credentials - INFO - Found credentials in shared credentials file: ~/.aws/credentials

In this example output, the IAM user credentials are stored in the .aws/credentials file. Because these credentials have a higher precedence than role credentials, IAM user credentials are used to make API calls.

AWS CLI to manage IAM credentials and discard the higher precedence setting

Use the following best practices:

  • Be sure not to use the --profile option with the AWS CLI.
  • Unset or remove all environment variables.
  • For the configure command, delete the credentials file in the .aws/credentials folder. Then, delete the .aws folder to set the instance profile default credentials.
  • For profiles set up in the .aws/config file, delete the profile. Then, delete the .aws folder.

After you remove the configuration settings precedence the IAM credentials, run the get-caller-identity command to verify the IAM role credentials similar to the following:

aws sts get-caller-identity

{
    "UserId": "AROACKCEVSQ6C2EXAMPLE:i-01773d4a8ed647342",
    "Account": "123456789012",
    "Arn": "arn:aws:sts::123456789012:assumed-role/ExampleInstanceRole/i-01773d4a8ed647342"
}

In this example output, the IAM credentials used are of the IAM role ExampleInstanceRole.


Did this article help you?

Anything we could improve?


Need more help?