When I try to use the AWS Command Line Interface (AWS CLI) to access my Amazon Simple Storage Service (Amazon S3) bucket, I get an error.
Resolution
An "Unable to locate credentials" error means that the AWS Service that you interact with can't find the credentials to authenticate AWS API calls. For example, this might be an AWS service such as Amazon S3. To resolve this issue, make sure that your AWS credentials are correctly configured in the AWS CLI.
Note: If you receive errors when you run AWS CLI commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.
To check if the AWS CLI is configured with credentials, run the following command:
$ aws configure list
If your credentials are configured in the config file or credential file, then the command returns a response similar to the following:
Name Value Type Location
---- ----- ---- --------
profile <not set> None None
access_key ****************ABCD config_file ~/.aws/config
secret_key ****************ABCD config_file ~/.aws/config
region us-west-2 env AWS_DEFAULT_REGION
If your credentials are configured with environment variables, then the command returns a response similar to the following:
Name Value Type Location
---- ----- ---- --------
profile <not set> None None
access_key ****************N36N env
secret_key ****************cxxy env
region <not set> None None
If your credentials are configured in an instance profile, then the command returns a response similar to the following:
Name Value Type Location
---- ----- ---- --------
profile <not set> None None
access_key ****************YVEQ iam-role
secret_key ****************2a9N iam-role
region <not set> None None
If there are no credentials set, then the command returns the following output:
Name Value Type Location
---- ----- ---- --------
profile <not set> None None
access_key <not set> None None
secret_key <not set> None None
region <not set> None None
Review the response to check whether credentials are missing or the stored credentials are incorrect.
An instance profile might be attached to your Amazon EC2 instance but still can't load credentials because of AssumeRole issues in the configured trust policy. For more information, see Retrieve instance metadata.
If the command returns the following output when you retrieve instance metadata, then the AssumeRole in the trust policy is restricted:
{
"Code" : "AssumeRoleUnauthorizedAccess",
"Message" : "EC2 cannot assume the role EXAMPLEROLE. Please see documentation at https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_iam-ec2.html#troubleshoot_iam-ec2_errors-info-doc.",
"LastUpdated" : "2024-04-03T09:49:40Z"
}
Review the response to check whether credentials are missing, the IAM trust policy is not properly configured, or the stored credentials are incorrect. For more information, see IAM roles for Amazon EC2.