AWS powershell credential_source = Ec2InstanceMetadata

Question

I'm trying to set the credential_source = Ec2InstanceMetadata option in the profile config file so applications/tools running on an EC2 can assume a specific role rather than the Instance Profile role.

I have the following config file at c:\aws\config

[SomeUser]
aws_access_key_id = AKIAXXX
aws_secret_access_key = zzzz

[profile RoleA]
role_arn = arn:aws:iam::1111111:role/RoleA
credential_source = Ec2InstanceMetadata

[profile RoleB]
role_arn = arn:aws:iam::1111111:role/RoleB
source_profile = SomeUser

To set the profile for the current Powershell session, I run this command

PS C:\> Set-AWSCredentials -ProfileName RoleA -ProfileLocation c:\aws\config.

However, it throws the error

Set-AWSCredentials : Credential profile [RoleA] is not valid. Please ensure the profile contains a valid combination of properties.

According to the docs, credential_source = Ec2InstanceMetadata is a valid option but if I remove the RoleA profile from the config file it accepts the command, leading me to believe that option is not recognized.

Once that role is removed and I pass RoleB as the ProfileName with the Set-AWSCredentials command, I can run other AWS CLI commands that assume RoleB (in this case credentials are taken from the IAM user credentials of [SomeUser]). But this is not what I want as I do not want to have IAM credentials stored on the instance.

Any idea what I am doing wrong?

P.S. I have the following versions for AWS PS tooling (Get-AWSPowerShellVersion)

Amazon Web Services SDK for .NET: Core Runtime Version 3.3.22.5
AWS Tools for Windows PowerShell: Version 3.3.283.0`

Answer 1

This is a missing feature in the AWS SDK for .NET which the AWS PowerShell tooling is based on. Can you open a GitHub issue in our repository to help track this feature. https://github.com/aws/aws-sdk-net