Why can't I run AWS CLI commands on my EC2 instance?

Last updated: 2022-02-14

When running AWS CLI commands on your instance, you might see one of the following error messages:

• "Unable to locate credentials. You can configure credentials by running 'aws configure'"
• "An error occurred (UnauthorizedOperation) when calling the DescribeInstances operation: You are not authorized to perform this operation"
• "An error occurred (AuthFailure) when calling the DescribeInstances operation: AWS was not able to validate the provided access credentials"
• "An error occurred (ExpiredToken) when calling the GetCallerIdentity operation: The security token included in the request is expired"

The operation listed in the error varies depending on the operation that you called when the error occurred. In the preceding examples, the errors occurred when calling the DescribeInstances and GetCallerIdentity operations.

Note: For communication issues between the AWS CLI and one of the AWS service endpoints, confirm that the DNS resolution and any VPC endpoints work correctly. For more information, see the following:

• AWS PrivateLink and VPC endpoints
• How do I create VPC endpoints so that I can use Systems Manager to manage private EC2 instances without internet access?
• Amazon DNS server

If you receive errors when running AWS CLI commands, make sure that you’re using the most recent version of the AWS CLI.

Verify that the AWS CLI is installed and configured correctly.

When using AWS Identity and Access Management (IAM) instance profiles, make sure that the IAM role association has completed.

• Make sure that the IAM role or IAM user has the correct permissions to run the relevant commands. For instructions on how to do this, see Why am I receiving the error message "You are not authorized to perform this operation" when I try to launch an EC2 instance?
• Make sure that the time on your Linux or Windows instance is correct.
• Make sure that you're using the correct Amazon Simple Token Service (AWS STS) token format. For more information, see Why did I receive the IAM error "AWS was not able to validate the provided access credentials" in some AWS Regions?
• Make sure that you're using the correct credentials to make the API call. If there are multiple sets of credentials on the instance, credential precedence might affect the credentials that the instance uses to make the API call. Verify the set of credentials that you're using by running the aws sts get-caller-identity command. For more information, see Why is my Amazon EC2 instance using IAM user credentials instead of role credentials?

Temporary credentials expire at the time interval specified during creation. If the credentials for your IAM role are expired, then obtain a new STS token by assuming a new IAM role.