CODEWITHSUNDEEP
amazon-web-servicesubuntuamazon-s3aws-cloudformation
sashoalm
sashoalm

Reputation: 79467

cfn-init error: Unable to retrieve remote metadata : No credentials

I have a test template that downloads a single non-public file from an S3 bucket, using cfn-init and an AWS::CloudFormation::Authentication and AWS::CloudFormation::Init sections.

This runs successfully on an Amazon AMI, but on an Ubuntu AMI, it fails with this error:

WARNING [2017-10-29 12:01:03,541] Unable to retrieve remote metadata : No credentials!
WARNING [2017-10-29 12:01:03,541] Unable to open local metadata : /var/cache/heat-cfntools/last_metadata
WARNING [2017-10-29 12:01:03,542] Unable to open local metadata : /var/lib/heat-cfntools/cfn-init-data
ERROR [2017-10-29 12:01:03,542] Unable to read any valid metadata!
ERROR [2017-10-29 12:01:03,542] Error processing metadata
Traceback (most recent call last):
  File "/usr/bin/cfn-init", line 68, in 
    metadata.cfn_init()
  File "/usr/lib/python2.7/dist-packages/heat_cfntools/cfntools/cfn_helper.py", line 1270, in cfn_init
    raise Exception("invalid metadata")
Exception: invalid metadata

The full template - https://pastebin.com/e072d5GF.

I found a similar question on Launchpad, but it has no answer.

Edit: This is the output from curl 169.254.169.254/latest/meta-data/iam/info/:

{
  "Code" : "InstanceProfileNotFound",
  "Message" : "Instance Profile with Id AIPAJWC744OTCCS55JMTW cannot be found.  Please see documentation at http://docs.amazonwebservices.com/IAM/latest/UserGuide/RolesTroubleshooting.html.",
  "LastUpdated" : "2017-10-29T12:26:01Z"
}

Upvotes: 1

Views: 690

Answers (1)

GMartinez
GMartinez

Reputation: 387

You are specifying a role named "s3access", however you are not declaring it. If it doesn't exist already you need to create it.

Add this inside Resources, and change Bucket_Name (2 entries) and Path_Name (1 entry) to match your configuration:

"s3access": {
"Type": "AWS::IAM::Role",
"Properties": {
    "AssumeRolePolicyDocument": {
        "Version": "2012-10-17",
        "Statement": [{
            "Effect": "Allow",
            "Principal": {
                "Service": ["ec2.amazonaws.com"]
            },
            "Action": ["sts:AssumeRole"]
        }]
    },
    "Path": "/",
    "Policies": [{
        "PolicyName": "S3_Read",
        "PolicyDocument": {
            "Version": "2012-10-17",
            "Statement": [{
                    "Effect": "Allow",
                    "Action": "s3:GetObject",
                    "Resource": [{
                        "Fn::Join": ["", ["arn:aws:s3:::", "Bucket_Name", "/Path_Name/*"]]
                    }, ]
                },
                {
                    "Effect": "Allow",
                    "Action": "s3:ListBucket",
                    "Resource": [{
                        "Fn::Join": ["", ["arn:aws:s3:::", "Bucket_Name"]]
                    }]
                }
            ]
        }
    }]
}

}

Upvotes: 1

Related Questions