Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Regression in 1.13.21: cannot assume role using EC2 instance metadata

See original GitHub issue

Hi, we just started running into issues assuming roles in Jenkins, where the principal credentials come from EC2 instance metadata. This appears to be a regression in 1.13.21.

Here’s a reproduction, running in an EC2 instance with permission to assume the role specified in the aws-config file.

$ docker run -it --rm python:3.7.5-alpine3.10 sh
/ # cat > aws-config
[profile role-to-assume]
role_arn = arn:aws:iam::...:role/...
credential_source = Ec2InstanceMetadata

/ # pip install awscli
...
Successfully installed PyYAML-5.1.2 awscli-1.16.285 botocore-1.13.21 colorama-0.4.1 docutils-0.15.2 jmespath-0.9.4 pyasn1-0.4.8 python-dateutil-2.8.0 rsa-3.4.2 s3transfer-0.2.1 six-1.13.0 urllib3-1.25.7

/ # AWS_PROFILE=role-to-assume AWS_CONFIG_FILE=aws-config aws sts get-caller-identity

Error when retrieving credentials from Ec2InstanceMetadata: No credentials found in credential_source referenced in profile role-to-assume

/ # pip install botocore==1.13.20
...
ERROR: awscli 1.16.285 has requirement botocore==1.13.21, but you'll have botocore 1.13.20 which is incompatible.
Installing collected packages: botocore
  Found existing installation: botocore 1.13.21
    Uninstalling botocore-1.13.21:
      Successfully uninstalled botocore-1.13.21
Successfully installed botocore-1.13.20

/ # AWS_PROFILE=role-to-assume AWS_CONFIG_FILE=aws-config aws sts get-caller-identity
{
    "UserId": "...",
    "Account": "...",
    "Arn": "arn:aws:sts::...:assumed-role/.../botocore-session-1574199910"
}

Issue Analytics

State:
Created 4 years ago
Reactions:25
Comments:6 (2 by maintainers)

Top GitHub Comments

5reactions

joguSDcommented, Nov 20, 2019

Thanks for bringing this to our attention. We’ll be reverting this ASAP and cutting an additional release today.

4reactions

joguSDcommented, Nov 20, 2019

Botocore v1.13.22 has been released and reverts to the previous behavior fixing the regression. We are still working on a proper fix to support the new IMDS behavior.

Top Results From Across the Web

Troubleshooting IAM and Amazon EC2 - AWS Documentation

An instance profile can contain only one IAM role, and that limit cannot be increased. ... Amazon EC2 does not have permission to...

Three hurdles to skip before using the secure Instance ...

Three hurdles to skip before using the secure Instance Metadata Service V2 ; Investigation aws-cli. Setup; Investigate aws cli ; Investigate SSM ...

Security best practices for the Amazon EC2 instance metadata ...

Can't use standard authn methods, or infinite regress. • Historically: Lots of unsafe practices. • Solution (since 6/2012): Deliver Amazon EC2 role creds....

AWS Integration Troubleshooting - Datadog Docs

In containerized environments the problem might be that you have locked down the EC2 metadata endpoint, by way of assigning IAM roles/credentials to...

EC2 Instance Using IAM Roles | Trend Micro

Ensure IAM instance roles are used for AWS resource access from instances. ... EC2 instance is not associated with an IAM role (i.e....