问题
I use an example from here in order to retreive a secret from AWS SecretsManager in c# code.
I have set credentials locally via AWS CLI, and I am able to retreive secret list using AWS CLI command "aws secretsmanager list-secrets".
But c# console app fails with an error:
> Unhandled exception. System.AggregateException: One or more errors occurred. (Unable to get IAM security credentials from EC2 Instance Metadata Service.)
---> Amazon.Runtime.AmazonServiceException: Unable to get IAM security credentials from EC2 Instance Metadata Service.
at Amazon.Runtime.DefaultInstanceProfileAWSCredentials.FetchCredentials()
at Amazon.Runtime.DefaultInstanceProfileAWSCredentials.GetCredentials()
at Amazon.Runtime.DefaultInstanceProfileAWSCredentials.GetCredentialsAsync()
at Amazon.Runtime.Internal.CredentialsRetriever.InvokeAsync[T](IExecutionContext executionContext)
at Amazon.Runtime.Internal.RetryHandler.InvokeAsync[T](IExecutionContext executionContext)
at Amazon.Runtime.Internal.RetryHandler.InvokeAsync[T](IExecutionContext executionContext)
at Amazon.Runtime.Internal.CallbackHandler.InvokeAsync[T](IExecutionContext executionContext)
at Amazon.Runtime.Internal.CallbackHandler.InvokeAsync[T](IExecutionContext executionContext)
at Amazon.Runtime.Internal.ErrorCallbackHandler.InvokeAsync[T](IExecutionContext executionContext)
at Amazon.Runtime.Internal.MetricsHandler.InvokeAsync[T](IExecutionContext executionContext)
--- End of inner exception stack trace ---
at System.Threading.Tasks.Task.ThrowIfExceptional(Boolean includeTaskCanceledExceptions)
at System.Threading.Tasks.Task`1.GetResultCore(Boolean waitCompletionNotification)
at System.Threading.Tasks.Task`1.get_Result()
at AWSConsoleApp2.GetSecretValueFirst.GetSecret() in D:\Work\Projects\Training\AWSConsoleApp2\AWSConsoleApp2\GetSecretValueFirst.cs:line 53
at AWSConsoleApp2.Program.Main(String[] args) in D:\Work\Projects\Training\AWSConsoleApp2\AWSConsoleApp2\Program.cs:line 11
When I change original constructor call
IAmazonSecretsManager client = new AmazonSecretsManagerClient();
with adding inherited parameter of type AWSCredentials
IAmazonSecretsManager client = new AmazonSecretsManagerClient(new StoredProfileAWSCredentials());
it works fine.
Class StoredProfileAWSCredentials is obsolete but it works to use it. I use libraries that work without errors on the other machines and I cannot change them.
I use credentials for user that belongs to Administrators group and has full access to SecretsMnager. Region has set properly in c# code, profile is default.
Any ideas? Thanks for advance
回答1:
I had the same issue, here is how I fixed it on my development environment
- I created an AWS profile using the AWS extension for Visual studio
- Once the profile is set up the credentials are passed using the profile and it worked fine for me
Point to note here, the user profile accessing the key manager should have a valid security group assigned for the Secrets manager.
Try it out let me know, how it went.
回答2:
Same issue and resolved by deleting $HOME/.aws/config and credentials files and recreating with AWS CLI.
In my case I was switching laptops from Windows to a new MBP. I had setup my new environment by copying the .aws directory files and confirmed that AWS CLI worked correctly. Confusingly the dotnet SDK failed with same errors.
回答3:
The question is not exactly my problem, but it's the first hit on google so I figured I'd chip in just in case.
I got the exact above error when issuing
dotnet lambda list-layers
It seems like the dotnet cli uses the AWS_PROFILE variable and does not default to AWS_DEFAULT_PROFILE. In my company, the AWS_DEFAULT_PROFILE is mapped to an identity provider, thus I do not manage different access with different profiles and the default profile is empty. As a workaround, run your command like this
AWS_PROFILE=$AWS_DEFAULT_PROFILE dotnet lambda list-layers
This way the CLI will use the correct credentials.
来源:https://stackoverflow.com/questions/60815037/aws-dotnet-sdk-error-unable-to-get-iam-security-credentials-from-ec2-instance-m