Windows AWS CLI "Unable to locate credentials" when running as System Account

Question

I am unable to run any AWS CLI command from cmd.exe running as System Account.

According to debug output, it looks like issue might be with getting 404 when trying to get IAM-Role of EC2 machine:

C:\>aws --debug s3 ls
2016-09-02 15:47:31,101 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: iam-role
2016-09-02 15:47:35,608 - MainThread - botocore.vendored.requests.packages.urllib3.connectionpool - INFO - Starting new HTTP connection (1): au-aws-igw.analytics.pvt
2016-09-02 15:47:35,674 - MainThread - botocore.vendored.requests.packages.urllib3.connectionpool - DEBUG - "GET http://169.254.169.254/latest/meta-data/iam/security-credentials/ HTTP/1.1" 404 345

To replicate issue:

1. Download PsExec to C:\Temp of EC2 (https://technet.microsoft.com/en-us/sysinternals/bb897553.aspx)
2. Open cmd and run C:\Temp\PSTools\PsExec.exe -i -s cmd.exe (this will open cmd as Local System)
3. Run any 'aws' command (e.g. aws s3 ls)

If just remote into EC2 and run cmd (not as System Account) then 'aws s3 ls' works as expected... i.e. List all s3 buckets that EC2 IAM Role has access to view.

Answer 1

The issue was a proxy was configured for system account thus couldn't get to local EC2 metadata URL.

It was quite hard to find as was hidden in registry on windows box. I had to open regedit as system account and go to IE and found it there. Just removed that key and worked fine.

Answer 2

Read this: http://windowsitpro.com/systems-management/psexec

And maybe try using the -u to specify a user on the box to run your commands?

I'm going to guess it's an issue with not having an environmental variable set, path to your AWS config or something or other.

Whichever user you can remote in and run cmd as, pass that username in the -u parameter for psexec.exe command, and I expect it will work.