Instance Profile IAM role does not work

[RulerOf]

Hi.

I have configured and IAM role with S3 Read Only and attached it to the instance. I run aws s3 ls and it shows me all my S3 buckets.

But when I run the GPU updater, it always prompts for access keys, and errors out because they're blank.

I suspect the scripts are assuming I will supply access keys before checking the AWS SDK locally to see if it's functional, and then attempting to invoke the SDK with blank strings for credentials. IME this is extremely common ("Local dev" doesn't have an "automatic credentials" mode like instance profiles do), so I thought I'd report it.

The rest of the automation is pretty slick. Thanks for this release.

[jamesstringerparsec]

This is the first time I have known anyone to set this up. Is there any way to know that you have set it up this way from a aws powershell function from inside the instance?

[RulerOf]

@jamesstringerparsec I'm not precisely sure how to do it in posh. But the logic works like this:

• Run aws sts get-caller-identity
• If that command was successful, don't configure the AWS SDK (or prompt for an override if desired, but you get the idea).

Some very quick testing suggests this would work:

if (!(Get-STSCallerIdentity)) {
    Write-Output "Prompt for AWS SDK Configuration inside of this block"
} 

[maxpastor]

This is the first time I have known anyone to set this up. Is there any way to know that you have set it up this way from a aws powershell function from inside the instance?

Using an instance profile or role would be the right way to do it. We (AWS) do not recommend the use of IAM user credentials except absolutely necessary. And for this use-case specifically, nothing forces the use of keys, as the goal is to configure an EC2 instance.

Also, would be cool to provide the recommended IAM policy, it's a simple one, but it would make sure that the people using your script without the required AWS knowledge and best practices in mind, would not create a monster.