AWS SDK for PHP: Error retrieving credentials from the instance profile metadata server

Question

I am trying to send SNS messeges to android through web api. Downloaded and installed the SDK from http://aws.amazon.com/developers/getting-started/php/

Got following error while running sample.php:

Fatal error: Uncaught exception 'Aws\Common\Exception\InstanceProfileCredentialsException' with message 'Error retrieving credentials from the instance profile metadata server. When you are not running inside of Amazon EC2, you must provide your AWS access key ID and secret access key in the "key" and "secret" options when creating a client or provide an instantiated Aws\Common\Credentials\CredentialsInterface object. ([curl] 28: Connection timed out after 5016 milliseconds [url] http://169.254.169.254/latest/meta-data/iam/security-credentials/)' in C:\xampp\htdocs\aws-php\vendor\aws\aws-sdk-php\src\Aws\Common\InstanceMetadata\InstanceMetadataClient.php:85
Stack trace:
#0 C:\xampp\htdocs\aws-php\vendor\aws\aws-sdk-php\src\Aws\Common\Credentials\RefreshableInstanceProfileCredentials.php(52): Aws\Common\InstanceMetadata\InstanceMetadataClient->getInstanceProfileCredentials()
#1 C:\xampp\htdocs\aws-php\vendor\aws\aws-sdk-php\src\Aws\Common\Credentials\AbstractRefreshableCredentials.php(54): Aws\Common\Credentials\Refreshable in C:\xampp\htdocs\aws-php\vendor\aws\aws-sdk-php\src\Aws\Common\InstanceMetadata\InstanceMetadataClient.php on line 85

A little guidance on this topic will help me a lot

Answer 1

In my case (laravel 8, right after a few version upgrades) i had to change the "scripts" part of composer.json. Then after a "sail composer install" my AWS code worked again.

"scripts": {
    "post-autoload-dump": [
        "Illuminate\\Foundation\\ComposerScripts::postAutoloadDump",
        "@php artisan package:discover --ansi"
    ],
    "post-update-cmd": [
        "@php artisan vendor:publish --tag=laravel-assets --ansi --force"
    ],
    "post-root-package-install": [
        "@php -r \"file_exists('.env') || copy('.env.example', '.env');\""
    ],
    "post-create-project-cmd": [
        "@php artisan key:generate --ansi"
    ]
},

Source: https://github.com/laravel/laravel/blob/8.x/composer.json

Answer 2

assuming that the server is located on AWS EC2 (probably the same for ECS and elastic beanstalk) the "correct" way to handle this issue is not to store credentials at all.

instead, do this:

1. create an IAM role (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html)
2. add relevant permissions to the role policy (in this case, send SNS msg)
3. assign the role to the EC2 instance (instance settings => Attach/Replace IAM Role)

this way you don't leave any sensitive data in your code.

Answer 3

You can try these lines:

$credentials = new Aws\Credentials\Credentials('key' , 'secret-key');

$s3 = new S3Client(['version' => 'latest','region' => 'ap-south-1','credentials'=>$credentials]);

Answer 4

This might be because the config file hasn't been published.

Be sure to publish the config file:

php artisan vendor:publish  --provider="Aws\Laravel\AwsServiceProvider"

To test this is the issue, just clear the config.

php artisan config:clear

If it works with the cache cleared, then this will be the issue.

Answer 5

If it is laravel and aws/aws-sdk-php-laravel sdk then after configuring all step and defining key in .env file you have to drop config cache and rebuild it by following commands.

php artisan config:cache;
composer dump-autoload;

Answer 6

In my case I had to use hard-coded credentials

$s3Client = new S3Client([
    'region' => REGION,
    'version' => '2006-03-01',
    'credentials' => [
        'key'    => S3_KEY,
        'secret' => S3_SECRETE,
    ],
]);

See more details here:

Answer 7

Here are the steps:

1. Type cd ~ By this you will go into the home directory.
2. mkdir .aws
3. sudo vi .aws/credentials

4. Write following lines and save the file.

   [default]
   aws_access_key_id = Your AWS Access Key
   
   aws_secret_access_key = Your AWS Secret Access Key
   

Answer 8

I was trying to use a credentials file and got the same error, this guy on github pretty much nailed it:

The credentials file should be in ini format but not have a .ini extension. It should have a 'default' section defined with your key and secret:

$ less ~/.aws/credentials

[default]
aws_access_key_id = key
aws_secret_access_key = secret

If you specified other section name instead of default, just add a profile key to the S3Client parameters:

[example]
aws_access_key_id = key
aws_secret_access_key = secret

$s3Client = new \Aws\S3\S3Client([
    'version' => '2006-03-01',
    'region' => $yourPreferredRegion,
    'profile' => 'example',
]);

Using a credentials file or environment variables is the recommended way of providing credentials on your own server

And @Anti 's answer also helped me alot!

If you prefer the hard coded way, just follow @shadi 's answer.

Answer 9

In my case, I was using

return DynamoDbClient::factory(array(
  'version' => 'latest',
  'region'  => AWS_REGION,
  'key' => AWS_KEY,
  'secret'  => AWS_SECRET
));

which used to be ok with aws/aws-sdk-php version 2.8.5 , but when composer automatically installed version 3.2.0, I got the error above. The problem is simply that I should've changed the way I made the call to

return DynamoDbClient::factory(array(
  'version' => 'latest',
  'region'  => AWS_REGION,
  'credentials' => array(
    'key' => AWS_KEY,
    'secret'  => AWS_SECRET,
  )
));

as documented here. Without changing the call, the apache php was falling back to looking for the ~/.aws/credentials file using the HOME environment variable, which was empty. You can check its value by running php -r 'var_dump(getenv("HOME"));'.

This is a related post

Answer 10

You have to place the .aws/credentials file with your configuration in the home directory of the web service *usually /var/www) not in the home directory of the logged in user.

You can find what home directory you web service is using by running echo getenv('HOME'); in a php file on your server.