AWS SDK for PHP: Error retrieving credentials from the instance profile metadata server

I am trying to send SNS messeges to android through web api. Downloaded and installed the SDK from http://aws.amazon.com/developers/getting-started/php/

Got following error while running sample.php:

Fatal error: Uncaught exception 'Aws\Common\Exception\InstanceProfileCredentialsException' with message 'Error retrieving credentials from the instance profile metadata server. When you are not running inside of Amazon EC2, you must provide your AWS access key ID and secret access key in the "key" and "secret" options when creating a client or provide an instantiated Aws\Common\Credentials\CredentialsInterface object. ([curl] 28: Connection timed out after 5016 milliseconds [url] http://169.254.169.254/latest/meta-data/iam/security-credentials/)' in C:\xampp\htdocs\aws-php\vendor\aws\aws-sdk-php\src\Aws\Common\InstanceMetadata\InstanceMetadataClient.php:85 Stack trace: #0 C:\xampp\htdocs\aws-php\vendor\aws\aws-sdk-php\src\Aws\Common\Credentials\RefreshableInstanceProfileCredentials.php(52): Aws\Common\InstanceMetadata\InstanceMetadataClient->getInstanceProfileCredentials() #1 C:\xampp\htdocs\aws-php\vendor\aws\aws-sdk-php\src\Aws\Common\Credentials\AbstractRefreshableCredentials.php(54): Aws\Common\Credentials\Refreshable in C:\xampp\htdocs\aws-php\vendor\aws\aws-sdk-php\src\Aws\Common\InstanceMetadata\InstanceMetadataClient.php on line 85

A little guidance on this topic will help me a lot

92623 次浏览
小开

You have to place the .aws/credentials file with your configuration in the home directory of the web service *usually /var/www) not in the home directory of the logged in user.

You can find what home directory you web service is using by running echo getenv('HOME'); in a php file on your server.

小开

In my case, I was using

return DynamoDbClient::factory(array(
'version' => 'latest',
'region'  => AWS_REGION,
'key' => AWS_KEY,
'secret'  => AWS_SECRET
));

which used to be ok with aws/aws-sdk-php version 2.8.5 , but when composer automatically installed version 3.2.0, I got the error above. The problem is simply that I should've changed the way I made the call to

return DynamoDbClient::factory(array(
'version' => 'latest',
'region'  => AWS_REGION,
'credentials' => array(
'key' => AWS_KEY,
'secret'  => AWS_SECRET,
)
));

as documented here. Without changing the call, the apache php was falling back to looking for the ~/.aws/credentials file using the HOME environment variable, which was empty. You can check its value by running php -r 'var_dump(getenv("HOME"));'.

This is a related post

小开

I was trying to use a credentials file and got the same error, this guy on github pretty much nailed it:

The credentials file should be in ini format but not have a .ini extension. It should have a 'default' section defined with your key and secret:

$ less ~/.aws/credentials


[default]
aws_access_key_id = key
aws_secret_access_key = secret

If you specified other section name instead of default, just add a profile key to the S3Client parameters:

[example]
aws_access_key_id = key
aws_secret_access_key = secret


$s3Client = new \Aws\S3\S3Client([
'version' => '2006-03-01',
'region' => $yourPreferredRegion,
'profile' => 'example',
]);

Using a credentials file or environment variables is the recommended way of providing credentials on your own server

And @Anti 's answer also helped me alot!

If you prefer the hard coded way, just follow @shadi 's answer.

小开

Here are the steps:

  1. Type cd ~ By this you will go into the home directory.
  2. mkdir .aws
  3. sudo vi .aws/credentials

  4. Write following lines and save the file.

    [default]
aws_access_key_id = Your AWS Access Key


aws_secret_access_key = Your AWS Secret Access Key
小开

In my case I had to use hard-coded credentials

$s3Client = new S3Client([
'region' => REGION,
'version' => '2006-03-01',
'credentials' => [
'key'    => S3_KEY,
'secret' => S3_SECRETE,
],
]);

See more details here:

小开

You can try these lines:

$credentials = new Aws\Credentials\Credentials('key' , 'secret-key');

$s3 = new S3Client(['version' => 'latest','region' => 'ap-south-1','credentials'=>$credentials]);

小开

If it is laravel and aws/aws-sdk-php-laravel sdk then after configuring all step and defining key in .env file you have to drop config cache and rebuild it by following commands.

php artisan config:cache;
composer dump-autoload;
小开

This might be because the config file hasn't been published.

Be sure to publish the config file:

php artisan vendor:publish  --provider="Aws\Laravel\AwsServiceProvider"

To test this is the issue, just clear the config.

php artisan config:clear

If it works with the cache cleared, then this will be the issue.

小开

assuming that the server is located on AWS EC2 (probably the same for ECS and elastic beanstalk) the "correct" way to handle this issue is not to store credentials at all.

instead, do this:

  1. create an IAM role (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html)
  2. add relevant permissions to the role policy (in this case, send SNS msg)
  3. assign the role to the EC2 instance (instance settings => Attach/Replace IAM Role)

this way you don't leave any sensitive data in your code.


提交答案