AWS CLI in Windows EC2 cannot use role to access S3

Question

I am very new to AWS. I created an IAM role which has full access to S3. I assigned this role to a Windows Server EC2 instance. I then installed CLI on that instance. I then remoted into that instance using RDP, and started a CMD windows, and typed in

aws s3 ls

It complained that

Unable to locate credentials. You can configure credentials by running "aws configure".

Now that this EC2 has been assigned the role that has full access to S3, why can't I directly access S3?

Answer 1

I stumbled across this post. The reason you get this message is because what @John Rotenstein stated, the server can't reach the metadata.

Running aws config list will show that you do not have any credentials as the message states. This means that the server can't the following:

# 169.254.169.254 is for metadata service
# 169.254.169.250 is for KmsInstanceVpc1
# 169.254.169.251 is for KmsInstanceVpc2

To fix this. It is best to just remove the routes and add them again.

"169.254.169.254/32", "169.254.169.253/32", "169.254.169.251/32", "169.254.169.250/32", "169.254.169.249/32", "169.254.169.123/32"

Running a aws config list will show that the credentials have been added.

I find that btuanexpress.net script to fix this issue within Windows helps

Answer 2

Thank you John Rotenstein for your help. You pointed me to the right direction. I created a new instance from scratch, and everything worked. The previous instance I installed IIS and ASP.NET on it. Would it be possibly the reason?

Answer 3

To use AWS CLI with IAM Roles, you create a named profile. Instead of configuring this profile with credentials, you specify the ARN of the role and the name of the profile that has access to it.