PHP SDK无法在附加了IAM角色的EC2实例上获取AWS凭证

Question

Simple question. But cannot get it to work.

I created an IAM Role for EC2 with full access to CloudWatch. I launched a new EC2 instance with this IAM Role attached. I wrote a simple PHP application on this EC2 instance which tries to publish metrics to CloudWatch.

I am getting this error in nginx logs:

2017/08/23 11:44:06 [error] 32142#32142: *5 FastCGI sent in stderr:
"PHP message: PHP Fatal error:
Uncaught Aws\Exception\CredentialsException:
Cannot read credentials from /var/www/.aws/credentials
in /var/www/app/vendor/aws/aws-sdk-php/src/Credentials/CredentialProvider.php:394

From that same EC2 instance, the command:

curl http://169.254.169.254/latest/meta-data/iam/security-credentials/<role-attached-to-ec2-instance>

returns 200 OK with the Access Key and Secret in the response.

This is my PHP code that tries to write CloudWatch metrics:

<?php

require 'vendor/autoload.php';
use Aws\CloudWatch\CloudWatchClient;
use Aws\Exception\AwsException;

$count = $_GET["count"];
publishMetric($count);

function publishMetric($count) {
    $client = new CloudWatchClient([
            'profile' => 'default',
            'region' => 'us-east-1',
            'version' => '2010-08-01'
    ]);
    try {
            $result = $client->putMetricData(array(
                'Namespace' => 'com.mynamespace',
                'MetricData' => array(
                        array(
                            'MetricName' => 'Count',
                            //Timestamp : mixed type: string (date format)|int (unix timestamp)|\DateTime
                            'Timestamp' => time(),
                            'Value' => $count,
                            'Unit' => 'Number'
                    )
                )
            ));
            var_dump($result);

            echo 'Done publishing metrics';
    } catch (AwsException $e) {
            // output error message if fails
            error_log($e->getMessage());

            echo 'Failure to publish metrics';
    }

}


?>

Any idea what is missing in this setup?

Answer 1

Authentication of EC2 instance while accessing other AWS Services can be done in multiple ways:

1. Assigning a role to EC2 instance. Used when u have to give some "EC2 instance" a permission.
2. Do not assign a role; but use access-key which has all required permissions. Used when you give permission to a "User"

Both these are independent authentication mechanism. If you have already assigned role to your server; you do not have to write any code in your application (CredentialProvider.php) to authenticate.

Your current code can also be worked by creating a file /var/www/.aws/credentials which will look something like this:

accessKey=AKIAIB6FA52IMGLREIIB
secretKey=NQjJWKT+WZOUOrQ2Pr/WcRey3PnQFaGMJ8nRoaVU

Answer 2

I know this is late. I had the same issue and resolved it by removing profile => default line while initializing the client. If you do not provide credentials and profile, SDK will try to retrieve instance profile creds from metadata server.