Reputation: 2419
PHP SDK Cannot get AWS Credentials on EC2 Instance with IAM Role attached
Simple question. But cannot get it to work.
I created an IAM Role for EC2 with full access to CloudWatch. I launched a new EC2 instance with this IAM Role attached. I wrote a simple PHP application on this EC2 instance which tries to publish metrics to CloudWatch.
I am getting this error in nginx logs:
2017/08/23 11:44:06 [error] 32142#32142: *5 FastCGI sent in stderr:
"PHP message: PHP Fatal error:
Uncaught Aws\Exception\CredentialsException:
Cannot read credentials from /var/www/.aws/credentials
in /var/www/app/vendor/aws/aws-sdk-php/src/Credentials/CredentialProvider.php:394
From that same EC2 instance, the command:
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/<role-attached-to-ec2-instance>
returns 200 OK with the Access Key and Secret in the response.
This is my PHP code that tries to write CloudWatch metrics:
<?php
require 'vendor/autoload.php';
use Aws\CloudWatch\CloudWatchClient;
use Aws\Exception\AwsException;
$count = $_GET["count"];
publishMetric($count);
function publishMetric($count) {
$client = new CloudWatchClient([
'profile' => 'default',
'region' => 'us-east-1',
'version' => '2010-08-01'
]);
try {
$result = $client->putMetricData(array(
'Namespace' => 'com.mynamespace',
'MetricData' => array(
array(
'MetricName' => 'Count',
//Timestamp : mixed type: string (date format)|int (unix timestamp)|\DateTime
'Timestamp' => time(),
'Value' => $count,
'Unit' => 'Number'
)
)
));
var_dump($result);
echo 'Done publishing metrics';
} catch (AwsException $e) {
// output error message if fails
error_log($e->getMessage());
echo 'Failure to publish metrics';
}
}
?>
Any idea what is missing in this setup?
Upvotes: 0
Views: 3390
Answers (2)
Reputation: 355
I know this is late. I had the same issue and resolved it by removing profile => default line while initializing the client. If you do not provide credentials and profile, SDK will try to retrieve instance profile creds from metadata server.
Upvotes: 9
Reputation: 10866
Authentication of EC2 instance while accessing other AWS Services can be done in multiple ways:
- Assigning a role to EC2 instance. Used when u have to give some "EC2 instance" a permission.
- Do not assign a role; but use access-key which has all required permissions. Used when you give permission to a "User"
Both these are independent authentication mechanism. If you have already assigned role to your server; you do not have to write any code in your application (CredentialProvider.php) to authenticate.
Your current code can also be worked by creating a file /var/www/.aws/credentials which will look something like this:
accessKey=AKIAIB6FA52IMGLREIIB
secretKey=NQjJWKT+WZOUOrQ2Pr/WcRey3PnQFaGMJ8nRoaVU
Upvotes: 0
Related Questions
- 【AWS SDK PHP】Unable to access SecretsManager from ECS by IAM role
- AWS SDK PHP - Cannot read credentials from /.aws/credentials
- Credentials must be an instance of Aws\\Credentials\\CredentialsInterface error on PHP SDK with SQS
- Using an IAM service role for credentials in AWS services with PHP
- AWS PHP SDK Credentials error S
- Get AWS IAM credentials from PHP SDK
- Can't pass my credentials to AWS PHP SDK
- Issue using an IAM role with PHP SDK
- Client credentials not retrived when attempting to use aws php sdk
- Unable to get aws credentials from IAM role