Getting AWS CLI working on EC2 Instances Launched with “IAM Roles”

By | June 9, 2015

Using IAM Role Policies, you must specify the Access Key ID, the Secret Access Key, and the Security token.  You can’t enter the token into the command line configuration.  So to make it work:

1.  Get the info you need from


2.  Put them into


Setting AWS_DEFAULT_REGION also might be a good idea.

In the case you are using SDK’s such as php you can also do:

Getting temporary credentials

AWS STS has several operations that return temporary credentials, but the GetSessionToken operation is the simplest for demonstration purposes. Assuming you have an instance of Aws\Sts\StsClient stored in the $stsClient variable, this is how you call it:

$result = $stsClient->getSessionToken();

The result for GetSessionToken and the other AWS STS operations always contains a 'Credentials' value. If you print the result (e.g.,print_r($result)), it looks like the following:

    [Credentials] => Array
        [SessionToken] => '<base64 encoded session token value>'
        [SecretAccessKey] => '<temporary secret access key value>'
        [Expiration] => 2013-11-01T01:57:52Z
        [AccessKeyId] => '<temporary access key value>'

Providing temporary credentials to the SDK

You can use temporary credentials with another AWS client by instantiating the client and passing in the values received from AWS STS directly.

use Aws\S3\S3Client;

$result = $stsClient->getSessionToken();

$s3Client = S3Client::factory(array(
    'credentials' => array(
        'key'    => $result['Credentials']['AccessKeyId'],
        'secret' => $result['Credentials']['SecretAccessKey'],
        'token'  => $result['Credentials']['SessionToken']

You can also construct a Credentials object and use that when instantiating the client.

use Aws\Common\Credentials\Credentials;
use Aws\S3\S3Client;

$result = $stsClient->getSessionToken();

$credentials = new Credentials(

$s3Client = S3Client::factory(array('credentials' => $credentials));

However, the best way to provide temporary credentials is to use the createCredentials() helper method included with the StsClient. This method extracts the data from an AWS STS result and creates the Credentials object for you.

$result = $stsClient->getSessionToken();
$credentials = $stsClient->createCredentials($result);

$s3Client = S3Client::factory(array('credentials' => $credentials));

You can also use the same technique when setting credentials on an existing client object.

$credentials = $stsClient->createCredentials($stsClient->getSessionToken());

For more information about why you might need to use temporary credentials in your application or project, see Scenarios for Granting Temporary Access in the AWS STS documentation.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.