node.js - [Node JS AWS SDK]Missing credentials on Upload to S3 assuming IAM Role

Question

I'm trying to upload some files on a S3 bucket, it works with the hardcoded credentials but I wanted to push the security a little bit further by using IAM Roles instead.

Here's what I did :

• Create an IAM Role enabling full access to a specific S3 bucket
• Added the role to the EC2 instane running my app
• Made a call with AWS SDK not specifying credentials (Assuming the role)
• Had an error

Here's the code I used for the S3 interactions

const AWS = require('aws-sdk');
const s3 = new AWS.S3();

const options = {
                    Bucket: BUCKET_NAME,
                    Key: /my/key/
                    Body: mybody,
                    ContentType: somecontent,
                    ACL: 'public-read'
                };

return s3.upload(options, (err, data) => {
    if (err) {
        return reject(err);
    }
    //code continue
});

And here's what i've got :

CredentialsError: Missing credentials in config, if using AWS_CONFIG_FILE, set AWS_SDK_LOAD_CONFIG=1

So I tried to use config files at ~/.aws/config and ~/.aws/credentials (I also set AWS_SDK_LOAD_CONFIG to one in my .bashrc file and set the config file paths).

.aws/config :

[default]
region=myregion
role_arn=myrolearn

Also tried with the credentials in the file so that at least it wont appear in the code itself.

Am I missing something?

Thanks in advance

question from:https://stackoverflow.com/questions/65938302/node-js-aws-sdkmissing-credentials-on-upload-to-s3-assuming-iam-role

Answer 1

Your steps were fine on the first look & it's completely right that your application will take over the security credentials from the EC2 instances metadata. You should not have to configure anything besides.

So to start, here are some debug suggestions:

• are you sure that you attached your role properly? Try to check the assumed role via the AWS-CLI when you're connected via SSH with aws sts get-caller-identity.
• was your S3 bucket created in the same region as your running EC2?
• is AWS_SDK_LOAD_CONFIG really exported as true? Try logging it out in your app via process.env.AWS_SDK_LOAD_CONFIG.

Edit: can you try editing your ~/.aws/config with:

[default]
credential_source=Ec2InstanceMetadata