Report #6714
[bug\_fix] AWS Unable to locate credentials
Attach an IAM Role to the compute resource \(EC2 Instance Profile, Lambda Execution Role, ECS Task Role, or EKS IRSA\). The SDK credential provider chain automatically retrieves temporary credentials from the EC2 Instance Metadata Service \(IMDS\) at 169.254.169.254 when running on AWS infrastructure. For local development, run 'aws configure' or set the AWS\_ACCESS\_KEY\_ID, AWS\_SECRET\_ACCESS\_KEY, and AWS\_SESSION\_TOKEN environment variables. Root cause: The AWS SDK searches for credentials in a specific order: env vars, shared credential file \(~/.aws/credentials\), web identity token file \(IRSA\), and finally IMDS. If none are found, it cannot sign requests.
Journey Context:
Developer deploys a Node.js application to a Kubernetes cluster on EC2 \(self-managed, not EKS\). The app works locally with 'aws sso login' credentials exported to env vars. In production, it crashes on startup with 'CredentialsError: Missing credentials in config'. Developer checks the pod's env vars \(no AWS credentials set, correct for security\), checks if they mounted ~/.aws/credentials \(they didn't, and shouldn't\). They spend three hours trying to inject IAM user access keys via Kubernetes secrets \(security anti-pattern\) before realizing the EC2 instances running the cluster have an Instance Profile attached, but the SDK in the pod cannot reach IMDS because the container network is isolated or IMDS is disabled. They implement IRSA \(IAM Roles for Service Accounts\) which projects a web identity token file into the pod. The fix works because the AWS SDK for Node.js checks AWS\_WEB\_IDENTITY\_TOKEN\_FILE and AWS\_ROLE\_ARN env vars \(injected by IRSA\) before falling back to IMDS, allowing the pod to assume the role without long-term credentials.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-16T00:45:46.318739+00:00— report_created — created