Reputation: 634
Windows Server no longer connecting to S3 via IAM role
I have a Windows Server 2016 AMI (AMI v1) that was able to use an Instance Profile and associated IAM role to write to S3.
That AMI was modified to enable Windows Remote Management (and a few other changes like replacing a EBS volume) and a new AMI was created (AMI v2).
When using AMI v2 and Powershell commands like Write-S3Object, the following error is shown:
No credentials specified or obtained from persisted/shell defaults.
The Amazon SSM agent is also unable to start and it's error logs show: (note it works fine on AMI v1)
2017-10-09 14:53:13 ERROR [start @ agent.go.61] error occured when starting core manager: Failed to fetch region. Data from vault is empty. Get http://169.254.169.254/latest/dynamic/instance-identity/document: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)
2017-10-09 14:53:13 ERROR [Execute @ agent_windows.go.169] Failed to start agent. Failed to fetch region. Data from vault is empty. Get http://169.254.169.254/latest/dynamic/instance-identity/document: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)
2017-10-09 14:53:50 ERROR [NewCoreManager @ coremanager.go.63] error fetching the region, Failed to fetch region. Data from vault is empty. Get http://169.254.169.254/latest/dynamic/instance-identity/document: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)
I've tried disabling Windows Remote Management, and Windows Firewall in AMI v2 and neither have helped.
Any suggestions on how to debug this would be appreciated!
Upvotes: 3
Views: 1499
Answers (1)
Reputation: 133
I know this is an old post, but I came across this problem recently. The issue was missing routes to 169.254.169.254.
If you run aws sts get-caller-identity you should get a similar error message and confirms the problem.
To fix it, launch a PowerShell session, then run
Import-Module "C:\ProgramData\Amazon\EC2-Windows\Launch\Module\Ec2Launch.psm1";
Add-Routes
Run aws sts get-caller-identity again and you should now see the name of the IAM role.
PS: To print the routes: route print
Upvotes: 2
Related Questions
- S3 Bucket access denied, even for Administrator
- Unable to get IAM security credentials for AWS S3
- AWS CLI in Windows EC2 cannot use role to access S3
- AWS IAM bucket permissions access denied
- EC2 cannot access S3 object via IAM role
- Can't access S3 bucket using IAM Role from an EC2 instance
- Lost access to S3 after granting access to STS
- AWS - Unable to access S3 bucket from EC2 windows
- AWS S3 cli not working on Windows server
- AWS EC2 access to S3 with IAM role