Why does AWS CLI need access/secret key?

Question

If I already assigned an IAM role to my ec2 instance, and I want to use AWS CLI from that instance, why does it require me to put in the access/secret key, isn't that kind of redundant?

Answer 1

You are not required to enter an access key/secret key.

The AWS documentation for Configuring the AWS CLI tells us the following about the credentials provider chain:

The AWS CLI looks for credentials and configuration settings in the following order:

• Command Line Options – region, output format and profile can be specified as command options to override default settings.
• Environment Variables – AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, etc.
• The AWS credentials file – located at ~/.aws/credentials on Linux, OS X, or Unix, or at C:\Users\USERNAME\.aws\credentials on Windows. This file can contain multiple named profiles in addition to a default profile.
• The CLI configuration file – typically located at ~/.aws/config on Linux, OS X, or Unix, or at C:\Users\USERNAME\.aws\config on Windows. This file can contain a default profile, named profiles, and CLI specific configuration parameters for each.
• Instance profile credentials – these credentials can be used on EC2 instances with an assigned instance role, and are delivered through the Amazon EC2 metadata service.

If you configure credentials then these will be used, however configure nothing and you should be good to go with your existing Instance Profile and IAM Role.

Answer 2

You don't need it. As the readme says:

The quickest way to get started is to run the aws configure command:

That doesn't mean it's the only way.

For IAM roles, you don't need to do anything, it'll work correctly out of the box:

The final option for credentials is highly recommended if you are using aws-cli on an EC2 instance. IAM Roles are a great way to have credentials installed automatically on your instance. If you are using IAM Roles, aws-cli will find them and use them automatically.

(also from the readme).