When running on EC2 not picking up credentials

[nitrocode]

context

I noticed that from a previous issue and subsequent pull request that this feature should be supported. I'm using the following yaml but it's not working as expected.

I'm on Amazon Linux 2 self-hosted EC2 instances.

I tried this

      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@v1

which returns Error: Input required and not supplied: aws-region

I tried this

      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@v1
        with:
          aws-region: us-east-2

which returns

Error: Credentials could not be loaded, please check your action inputs: Could not load credentials from any providers

references

• @jwoltman's issue Optional AWS_ACCESS_KEY_ID and AWS_SECRET_ACCES_KEY when relying on IAM Roles #33
• @clareliguori 's PR feat: don't require access key credentials for self-hosted runners #42

similar issues in other projects

• Login doesn't support using EC2 instance credentials with ECR login docker/login-action#64
• Log into registry in another account in different region under a self-hosted environment amazon-ecr-login#174

[AmaniEzz]

I'm facing the same problem, have you found solutions?

[nitrocode]

@AmaniEzz @paragbhingre it looks like my issue was with setting the following input variables.

    env:
      AWS_EC2_METADATA_DISABLED: true
      AWS_SDK_LOAD_CONFIG: true

My originaly issue was with using docker/build-push-action which would throw errors because it couldn't read from the IAM role so I experiemented with running this action prior to the docker one and I ran into the same issue. I ended up not needing this action once I omitted the above env variables.

I have not re-tested the aws-actions/configure-aws-credentials after omitting the above env variables.

[AmaniEzz]

I didn't clearly understand how did you omitted the env variables? Are they hidden somewhere or are they default? Sorry i'm new to this. Appreciate your help

…

On Mon, 16 Aug 2021 at 1:48 AM nitrocode ***@***.***> wrote: @AmaniEzz <https://github.com/AmaniEzz> @paragbhingre <https://github.com/paragbhingre> it looks like my issue was with setting the following input variables. env: AWS_EC2_METADATA_DISABLED: true AWS_SDK_LOAD_CONFIG: true My originaly issue was with using docker/build-push-action <https://github.com/docker/build-push-action> which would throw errors because it couldn't read from the IAM role so I experiemented with running this action prior to the docker one and I ran into the same issue. I ended up not needing this action once I omitted the above env variables. I have not re-tested the aws-actions/configure-aws-credentials after omitting the above env variables. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#245 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AI6CJUQLQGVCDWINFH5WPC3T5A73BANCNFSM5BPWSY3Q> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&utm_campaign=notification-email> .

[rogerscuall]

Any update regarding this issue? I'm having the same problem. I tried multiple values for the envar listed here with no luck.
In my case, the runner is on an EC2 instance with a profile with the required permissions.

[peterwoodworth]

I'll try to investigate this at some point in the next week

[kellertk]

Hi there! You're getting this error because the JavaScript SDK is unable to load credentials from any of the credential providers. One of the first things the action does it attempt to get the SDK to refresh the running credentials with a call to loadCredentails. If that throws an exception, you'll see the error above.

Could not load credentials from any providers is a standard error message from the JavaScript SDK (this action uses version 2). The credential provider load order is documented here: https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/setting-credentials-node.html. Depending on your runner's environment, this could be coming from a couple of things, but if you're running in EC2 and trying to use an IAM role, you do need to have the metadata service enabled (which is number 6 in the above documented precedence order).

There are some environment variables that control the behavior of the JS SDK, one of which is AWS_EC2_METADATA_DISABLED - if that env variable is set to a truthy value, the SDK will not communicate with the IMDS and will not be able to run under IAM role credentials.

Of course, if you're trying to do some other method of authentication other than IAM roles on your runner, you'll need to make sure that's working on your runner with the JS SDK as well. One easy way is to use a simple "hello world" app written against the JavaScript v2 SDK and run that on your runner: https://docs.aws.amazon.com/code-samples/latest/catalog/javascript-nodegetstarted-sample.js.html. If that works, you know the SDK should be able to authenticate.

[github-actions]

This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

[dsagroads]

I get the same error

│ Error: configuring Terraform AWS Provider: no valid credential sources for Terraform AWS Provider found.
│ 
│ Please see https://registry.terraform.io/providers/hashicorp/aws
│ for more information about providing credentials.
│ 
│ AWS Error: failed to refresh cached credentials, no EC2 IMDS role found, operation error ec2imds: GetMetadata, request canceled, context deadline exceeded
│ 
│ 
│   with provider["registry.terraform.io/hashicorp/aws"],
│   on main.tf line 19, in provider "aws":
│   19: provider "aws" {```