I was recently debugging a bash script that was failing on an EC2 instance. The script was fairly straight forward and was using the AWS CLI to make some changes to the AWS config, however it was failing with the error "Error when retrieving credentials from Ec2InstanceMetadata: No credentials found in credential_source referenced in profile"
The error implies that the correct credentials cannot be found via the Metadata API, right? Apparently not.
Given that the error implies the credentials can't be found via the Metadata API, I started by querying it manually with curl:
But the role was present and looked to be in order:
So what gives? Googling the error message only returns 40 something results, and none of them are quite relevant. Weird.
After an embarrassingly long time and too much fiddling around with ~/.aws/config I discovered there was a debug option for the AWS CLI.
And there it is. The smoking gun:
'Read timeout on endpoint URL: "http://169.254.169.254/latest/meta-data/iam/security-credentials/"'
Ahah! So... it's not that it can't find the credentials. It can't even connect to the API to discover them. ( An issue relating to a HTTP proxy which is a story for another day )
A clearer error message would be much more useful. I've raised a Github Issue on the repo.