Reputation: 21
AWS IAM instance policy applying credentials to instance in one region, but not another
I have a setup where I launch AWS EC2 instances from templates and their AMI contains the AWS CLI, so it can copy over the contents of a private S3 bucket on launch. This template automatically applies an IAM role with the "AmazonS3ReadOnlyAccess" policy. This has been working as intended so far in the eu-west-2 region, but now I wanted to run these instances in us-east-2 region. I copied the AMI and made a new template using identical settings to the ones in eu-west-2, but when the script to sync the S3 buckets launches (it's just a bat file that runs "aws s3 sync ... ...") the contents of the synced folder are empty.
After a bit of looking around I noticed that it throws a "fatal error: Unable to locate credentials" error. I checked the credentials using "aws configure list" and get that access_key, secret_key and region are not set. If I run the same instance back in eu-west-2 these fields are populated.
I've tried recopying the base AMI, recreating the launch templates, creating region specific buckets, creating new IAM policies and all this as both a IAM user and the root user, the credentials still get set in eu-west-2, but not us-east-2. The only configurations that differ are the VPC, subnet and routing table settings - for obvious reasons, as they need to be in a new region. Does anybody know why this might be happening? As I've run out of ideas.
us-east-2a instance
us-east-2b instance
Upvotes: 0
Views: 184
Answers (1)
Reputation: 21
Ok, so as I was continuing to have issues with the copied AMI, I decided to just build one from scratch on the us-east-2 server.
I made a new instance, set it up, and created a new AMI. When I launched it the instance policy applied correctly and everything worked. When I made a template from the AMI, however, everything the credentials were missing again. I tried launching the instance from the AMI (not the template) everything worked again. I compared the settings between the template and AMI launched instances and the only difference (besides different IP's and such) was the subnet - the working AMI image was on us-east-2a, the template created instance was on us-east-2b. Now this seems odd to me, that policy applied credentials would be subnet dependent, but as much as I tested this seems to be the case.
TL;DR. Policy set credentials were not being applied due to new images not being launched on same subnet as to where the original AMI was built on(us-east-2a and us-east-2b). Solved by setting launch template to use same subnet.
Upvotes: 0
Related Questions
- AWS IAM EC2 policy limited to originating instance
- Two contardicting aws policies?
- Invalid security token when specifying other another region
- AWS IAM Policy grant permissions for some EC2 instances
- S3 IAM policy for one bucket not granting access
- IAM user security credentials not reflected in AWS credentials file
- AWS IAM policy issue
- AWS IAM customized policy at instance level for EC2 doesn't work
- AWS Amazon IAM user Policy to access ONLY one EC2 instance on EU-WEST-1 region
- Accessing a us-west-2 S3 bucket using Amazon Cognito and an IAM policy