I use an example from here in order to retreive a secret from AWS SecretsManager in C# code.

I have set credentials locally via AWS CLI, and I am able to retreive secret list using AWS CLI command aws secretsmanager list-secrets.

But C# console app fails with an error:

> Unhandled exception. System.AggregateException: One or more errors occurred. (Unable to get IAM security credentials from EC2 Instance Metadata Service.)
 ---> Amazon.Runtime.AmazonServiceException: Unable to get IAM security credentials from EC2 Instance Metadata Service.
   at Amazon.Runtime.DefaultInstanceProfileAWSCredentials.FetchCredentials()
   at Amazon.Runtime.DefaultInstanceProfileAWSCredentials.GetCredentials()
   at Amazon.Runtime.DefaultInstanceProfileAWSCredentials.GetCredentialsAsync()
   at Amazon.Runtime.Internal.CredentialsRetriever.InvokeAsync[T](IExecutionContext executionContext)
   at Amazon.Runtime.Internal.RetryHandler.InvokeAsync[T](IExecutionContext executionContext)
   at Amazon.Runtime.Internal.RetryHandler.InvokeAsync[T](IExecutionContext executionContext)
   at Amazon.Runtime.Internal.CallbackHandler.InvokeAsync[T](IExecutionContext executionContext)
   at Amazon.Runtime.Internal.CallbackHandler.InvokeAsync[T](IExecutionContext executionContext)
   at Amazon.Runtime.Internal.ErrorCallbackHandler.InvokeAsync[T](IExecutionContext executionContext)
   at Amazon.Runtime.Internal.MetricsHandler.InvokeAsync[T](IExecutionContext executionContext)
   --- End of inner exception stack trace ---
   at System.Threading.Tasks.Task.ThrowIfExceptional(Boolean includeTaskCanceledExceptions)
   at System.Threading.Tasks.Task`1.GetResultCore(Boolean waitCompletionNotification)
   at System.Threading.Tasks.Task`1.get_Result()
   at AWSConsoleApp2.GetSecretValueFirst.GetSecret() in D:\Work\Projects\Training\AWSConsoleApp2\AWSConsoleApp2\GetSecretValueFirst.cs:line 53
   at AWSConsoleApp2.Program.Main(String[] args) in D:\Work\Projects\Training\AWSConsoleApp2\AWSConsoleApp2\Program.cs:line 11

When I change original constructor call

IAmazonSecretsManager client = new AmazonSecretsManagerClient();

to use the constructor overload with added parameter of type AWSCredentials

IAmazonSecretsManager client = new AmazonSecretsManagerClient(new StoredProfileAWSCredentials());

it works fine.

Class StoredProfileAWSCredentials is obsolete but it works to use it. I use libraries that work without errors on the other machines and I cannot change them.

I use credentials for user that belongs to Administrators group and has full access to SecretsManager. Region has set properly in C# code, profile is default.

Any ideas? Thanks for advance

I had the same issue, and here is how I fixed it in my development environment

1. I created an AWS profile using the AWS Explorer extension for Visual Studio. This is also called the AWS Toolkit for Visual Studio.
2. Once the profile is set up the credentials are passed in using the profile.

Please note that the profile accessing the AWS Secrets Manager secret must have the proper authorization to do so. This AWS documentation will help get you in the right direction.

I've run into this issue a number of times, but have not been able to resolve it using the above solutions.

What has worked for me is explicitly setting my AWS profile using the AWS_PROFILE environment variable and setting it to the profile I want to use.

Today I ran into this issue again, where even that didn't work. What eventually solved it was setting the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables.

I dread the day where I run out of alternative ways to supply credentials to AWS.

Since AWS SDK credentials configuration is causing a lot of headache, I'll throw in some context. First of all, if you are using dotnet core, use the AWSSDK.Extensions.NETCore.Setup package (https://docs.aws.amazon.com/sdk-for-net/v3/developer-guide/net-dg-config-netcore.html), which will respect your appsettings.json.

{
  "AWS": {
    "Region": "eu-west-1",
    "Profile": "theprofileyouwantouse"
  }
}

csproj:

  <ItemGroup>
    <PackageReference Include="AWSSDK.Extensions.NETCore.Setup" Version="3.7.1" />
    <PackageReference Include="AWSSDK.SecurityToken" Version="3.7.1.71" />
  </ItemGroup>

Example:

var config = host.Services.GetService<IConfiguration>();
var options = config.GetAWSOptions();
using var client = options.CreateServiceClient<IAmazonSecurityTokenService>();
var result = await client.GetCallerIdentityAsync(new Amazon.SecurityToken.Model.GetCallerIdentityRequest { });

This will try to pick up encrypted credentials in ~/AppData/Local/AWSToolkit and secondly based on your shared config file (~/.aws/config). As of november 2021, it does not utilize aws_access_key_id, aws_secret_access_key, aws_session_token in the version 1 shared credentials file (~/.aws/credentials)*

Next, if the roles you are assuming are AWS SSO, you need the following packages in your csproj file:

    <PackageReference Include="AWSSDK.SSO" Version="3.7.0.94" />
    <PackageReference Include="AWSSDK.SSOOIDC" Version="3.7.0.94" />

*If you happen to have invertedly added your credentials to your shared credentials file (~/.aws/credentials) as [profile myprofile] instead of just [myprofile] the SDK will not behave as you expected, so delete that. If your credentials file is fine, then you don't have to touch it, but keep in mind that the SDK will noe use the cached credentials if any found in that file.

Now, the author does not use the AWSSDK.Extensions.NETCore.Setup package, which means that we are getting a slightly different credentials resolving path. Most importantly: appsettings.json is not respected, this means you must specify the profile you want to use differently, for example by using the AWS_PROFILE environment variable.

Secondly, we are landing directly in the FallbackCredentialsFactory.cs which does this when resolving credentials:

            CredentialsGenerators = new List<CredentialsGenerator>
            {
#if BCL
                () => new AppConfigAWSCredentials(),            // Test explicit keys/profile name first.
#endif
                () => AssumeRoleWithWebIdentityCredentials.FromEnvironmentVariables(),
                // Attempt to load the default profile.  It could be Basic, Session, AssumeRole, or SAML.
                () => GetAWSCredentials(credentialProfileChain),
                () => new EnvironmentVariablesAWSCredentials(), // Look for credentials set in environment vars.
                () => ECSEC2CredentialsWrapper(proxy),      // either get ECS credentials or instance profile credentials
            };

Now the last step in resolving credentials "ECSEC2" has a fallback which returns this:

DefaultInstanceProfileAWSCredentials.Instance

Which leads us to the error which the author sees.

Summary:

1. If you are not using AWSSDK.Extensions.NETCore.Setup, specify the profile using an ENV-variable in launch.json or launchSettings.json if you are going to use the default constructor like the author
2. Rember to add the AWS SSO packages if needed

I had the same issue, and here is how I fixed it in my development environment

1. I created an AWS profile using the AWS Explorer extension for Visual Studio. This is also called the AWS Toolkit for Visual Studio.
2. Once the profile is set up the credentials are passed in using the profile.

Please note that the profile accessing the AWS Secrets Manager secret must have the proper authorization to do so. This AWS documentation will help get you in the right direction.

I had the same issue, and resolved it by changing the name of the AWS profile in Visual Studio to default.

If anyone is using docker-compose and getting this error, I added this to my docker-compose.override.yml file and it was able to read my credentials

volumes:
  - ~/.aws/:/root/.aws:ro

Same issue and resolved by deleting $HOME/.aws/config and credentials files and recreating with AWS CLI.

In my case I was switching laptops from Windows to a new MBP. I had setup my new environment by copying the .aws directory files and confirmed that AWS CLI worked correctly. Confusingly the dotnet SDK failed with same errors.

Run the following command and follow the prompt using the data provided by AWS:

aws configure

Just add env variables in control panel AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY. The actual value of either is not important. I have set them both to a space (' '). Don't know why it works but it works. It does seem to take longer to log in. It seems that instead of going to the buggy flow, the SDK tries to use the env vars, fails and about after 30 seconds or so logs in as required.

Tested it on two different Win10 PCs with no AWS CLI installed or any AWS profile configured. The issue was recreated 100% and the described w/a fixed it.

Posting this here as it is at least the 2nd time I've caused the error via a self-inflicted misconfiguration.

VS 2022
AWS Toolkit 1.38.0.0

None of the existing answers worked, but they did point to a few configuration issues. One or more of these configuration settings did/could cause the error:

AWS Toolkit Explorer

When using the AWS Toolkit Explorer to define the profile, make sure the correct profile is selected.

Personally, I no longer define a default profile. I use named profiles for all credentials. This is especially useful when dealing with multiple profiles (I have at least 10+).

Environmental Variables

I've found the most consistent way to run an AWS process locally (or as a service) is to set the AWS_PROFILE Environmental Variable. Example:

Environment.SetEnvironmentVariable( "AWS_PROFILE", "<profle_name>", EnvironmentVariableTarget.Process );

In this particular case, I used an old profile name that had been changed. In other words, if you're using an Environmental Variable to set the AWS_PROFILE, make sure the profile name is correct.

When using the Environmental Variable approach, do not set an Environmental Variable for AWS_REGION. The AWS_PROFILE defines the region when the profile is correctly defined.

Other Thoughts...

When configured correctly, there should be no need for any other AWS environmental variable. Not even empty variables for:

• AWS_ACCESS_KEY_ID
• AWS_SECRET_ACCESS_KEY
• AWS_SESSION_TOKEN

Need to add the AWS access key and secret key in the visual studio extension, same as in the image.

The question is not exactly my problem, but it's the first hit on google so I figured I'd chip in just in case.

I got the exact above error when issuing

dotnet lambda list-layers

It seems like the dotnet cli uses the AWS_PROFILE variable and does not default to AWS_DEFAULT_PROFILE. In my company, the AWS_DEFAULT_PROFILE is mapped to an identity provider, thus I do not manage different access with different profiles and the default profile is empty. As a workaround, run your command like this

AWS_PROFILE=$AWS_DEFAULT_PROFILE dotnet lambda list-layers

This way the CLI will use the correct credentials.

make sure you have the latest version of EC2config installed https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/UsingConfig_Install.html

Thanks

I was deploying to a dot net core web application to an on prem server over IIS and had the same exact issue. No matter what I did the application would not recognize my credentials configured via AWS CLI (aws configure).

I ended up setting AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY with my keys via the Windows environment variables and restarting the server.

The following article was very helpful in understanding the AWS SDK credential loading Client Factory https://www.stevejgordon.co.uk/credential-loading-and-the-aws-sdk-for-dotnet-deep-dive

I had the same issue and it turned out to be because I had AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY and AWS_SESSION_TOKEN uppercased in my credentials file. Changing the keys to lowercase solved it for me.

In my case the config and credentials files were set up correctly in C:/Users//.aws folder so they should have been found by default. However, on a previous project I had set up different credentials (no longer valid) in C:/Users//AppData/Local/AWSToolkit referred to in AWS documentation as the AWS SDK Store. The SDK store is always checked first and then falls back to the default user credentials file. See the following: https://aws.amazon.com/blogs/developer/referencing-credentials-using-profiles/. The simplest solution in my case was simply to delete the files in the AWSToolkit folder. As an alternative I could have set up the SDK Store correctly.

In the project defaults.json, verify the profile value. in my case it was empty "profile": "". After setting the profile name, was able to publish

I had the same issue:

Amazon.Runtime.AmazonServiceException: 'Unable to get IAM security credentials from EC2 Instance Metadata Service.'

I was working with Dot Net Core Microservice, I got this error.

Solution - I removed the AWS credentials path which was mentioned in all the different setting files like appsettings.Debug.json and appsettings.Development.json.

This AWS credentials path should only be mentioned in the appsettings.json file. Remove it from all other files.

Set the AWS default profile on the machine using the command prompt.

aws configure --profile "default"

AWS Access Key ID and AWS Secret Access Key - You have already noted these details after the user is created

Default region name - You have to use the same region name where your DynamoDB table is created.

Default output format - Leave it blank

(This is working in my case)

Otherwise, try to set the IAM role to the EC2 instance. This will resolve your error.

For me what it was solving was adding the profile directly from AWS SDK like:

I had the same problem in .NET core 5 with AWS and I solved it by :

what I had :

I had config and credentials files in C:\Users\.aws.

In StartUp.cs after initialized AWS options I added:

#if Debuge
   options.Profile="default";
   options.ProfileLocations="C:\\Users\\.aws\\credentials";
#endif

If none of the other answers work for you and you're attempting to use SSO, make sure you're using at a minimum the .NET Framework 4.5 assemblies. The 3.5 assemblies have some logic compiled out of them that support SSO.

The error this question is citing is what happens whenever all of the main credential locations in the search order fail to find credentials for whatever reason; EC2 instance metadata is the last place that is searched (and will fail if you're not on an EC2 instance).

I think this Exception is from new AmazonDynamoDBClient() constructor where it couldn't find security credentials.

One way to fix this problem is by leveraging AWSSDK.Extensions.NETCore.Setup and AWSSDK.SecurityToken nuget packages.

When you register DynamoDB, instead of doing

.AddSingleton<IAmazonDynamoDB, AmazonDynamoDBClient>()

with the packages, you can now do

.AddDefaultAWSOptions(webApplicationBuilder.Configuration.GetAWSOptions())
.AddAWSService<IAmazonDynamoDB>()

If you have an authenticated profile in your .aws/credentials file and you have added the profile in appsettings.json like

"AWS": {
  "Profile": "yourProfile"
}

It should fix this error.

"I've created an MVC Core web app using .NET, implementing AWS Cognito user pool authentication and a custom UI. When running the application, I faced an exception. To address this, I downloaded the AWS CLI, modified my AWS credentials via the command line, and successfully resolved the issue."

1. `aws configure`
2.    'AWS Access Key ID [None]: YOUR_ACCESS_KEY'
      'AWS Secret Access Key [None]: YOUR_SECRET_KEY'
      'Default region name [None]: us-east-1'
      'Default output format [None]: json'
3.`aws configure list`

I've been stuck on this while debugging a Lambda function using the Mock Lambda Test Tool (installed with the AWS Toolkit for Visual Studio), and getting the same error from an AmazonS3Client. My ~/.aws/credentials file's [default] profile was definitely correct and working, just being ignored by this particular lambda project despite trying many of the solutions posted here.

And then I noticed this line in the autogenerated aws-lambda-tools-defaults.json file, which sets parameters for the Lambda test tool:

  "profile": "SAMLProfile1",

Changing "SAMLProfile1" to "default" resolved the error, for obvious reasons.

Unfortunately, the code I was using to investigate these credentials was explicitly loading the default profile, which made it look like everything should be fine, but then AWS SDK clients would throw the AmazonServiceException because they were using the non-existent SAMLProfile1 profile instead.

I wanted to add my exchange with AWS Support to this item. It was very thorough, and echoed a lot of the suggestions here.

My request ---------------------------------

AWS Toolkit for .NET debug error

I'm using SSO. I authenticate and grant access. I can write a Lambda and deploy it. My Lambda is trying to write to my SQS queue. When I test in Visual Studio 2022, I get this error: Amazon.Runtime.AmazonServiceException: Unable to get IAM security credentials from EC2 Instance Metadata Service.

Relevant c# code:

using Amazon.SQS;
using Amazon.SQS.Model;
AmazonSQSClient _sqsClient = new AmazonSQSClient();
string _sqsUrl = "https://sqs.us-east-1.amazonaws.com/102531666286/Email-queue";
SendMessageResponse responseSendMsg = await 

// Here is the line of code that throws the exception:
_sqsClient.SendMessageAsync(_sqsUrl, messageBody);

I see in my .AWS\sso\cache folder a json file with my accessToken.

In my AWS Explorer in Visual Studio, I have selected my account, and the explorer shows me all the Lambdas that exist.

Full exception:

Amazon.Runtime.AmazonServiceException: Unable to get IAM security credentials from EC2 Instance Metadata Service. at Amazon.Runtime.DefaultInstanceProfileAWSCredentials.FetchCredentials() at Amazon.Runtime.DefaultInstanceProfileAWSCredentials.GetCredentials() at Amazon.Runtime.DefaultInstanceProfileAWSCredentials.GetCredentialsAsync() at Amazon.Runtime.Internal.CredentialsRetriever.InvokeAsync[T](IExecutionContext executionContext) at Amazon.Runtime.Internal.RetryHandler.InvokeAsync[T](IExecutionContext executionContext) at Amazon.Runtime.Internal.RetryHandler.InvokeAsync[T](IExecutionContext executionContext) at Amazon.Runtime.Internal.CallbackHandler.InvokeAsync[T](IExecutionContext executionContext) at Amazon.Runtime.Internal.CallbackHandler.InvokeAsync[T](IExecutionContext executionContext) at Amazon.Runtime.Internal.ErrorCallbackHandler.InvokeAsync[T](IExecutionContext executionContext) at Amazon.Runtime.Internal.MetricsHandler.InvokeAsync[T](IExecutionContext executionContext) Function ARN: arn:aws:lambda:us-east-1:102531666286:function:EmailManager

Their response ---------------------------------

Thank you for contacting Amazon Web Services. My name is Abhilash and I will be assisting you on this case.

I understand that you get a credentials error when testing your C# lambda locally in Visual Studio 2022.

1. 'Amazon.Runtime.AmazonServiceException: Unable to get IAM security credentials from EC2 Instance Metadata Service'

• This error indicates that the code in question was not able to get AWS credentials needed to make AWS calls.

2. The code is being tested on your local device presumably. As such, why do we see the attempt to read EC2 Instance Metadata and its associated credentials?

• By default, AWS SDKs look for credentials in certain specific locations in a certain order. For our .NET SDK, this order is specified here[1]. As we can see, credentials are searched for in app configuration, AWS_PROFILE environment variable, [default] credentials profile, other environment variables like AWS_ACCESS_KEY_ID etc, IAM roles for ECS and finally, EC2 Instance Metadata.
• Error related to EC2 Metadata means that the AWS SDK app was unable to find valid AWS credentials in default locations specified above.

3. The credentials are set correctly as per your tests. And also, lambda deploys work. If so, why does this code test itself fail?

• Normally, for your AWS Toolkit operations, you may have configured specific SSO profiles to use and as such, AWS Explorer and lambda deploys work. However, for the code snippet in question, AmazonSQSClient() was used in SQS clients. As per our documentation[2], as the constructor has no credentials argument, it will try to pick the same from default locations stated in 2.
• As such, the code will look for 'default' profile credentials. Assuming your SSO setup does not use the same, it won't be able to identify the credentials location.
• When the same code runs in lambda though, it uses default credentials provided by lambda based on execution role and as such, no specific credentials configuration is needed. But for local tests, we would need one in case of non default SSO profiles.

4. How can we add the credentials config for your code?

• Generally speaking, AWS profile details can be mentioned in App.config or Web.config of your .NET project[3]. However, for loading SSO credentials programmatically, please refer to these links[4][5] which provide a sample code reference on how to load SSO credentials. Here, CredentialProfileStoreChain[6] & TryGetAWSCredentials() is used to load SSO profile credentials in code and the loadSSOProfile function returns credentials object which can be used in AWS clients. Do refer to sample code in [5] for details and try out any of the options to specify credentials profile in your code.
• I would highly recommend testing any changes mentioned here in a dev/test environment before applying the same to your production environment.
• A very important point to note is that should you change your code to use specific SSO profiles, this changed code would only be applicable for local runs. For lambda deployments, keep using the current version which reads credentials from default locations as lambda would need the same.
• If you need to ensure that your code without any explicit credentials fetch works locally too (same as lambda), you would need to configure your SSO in your default profile locally. Or else, you can set up your SSO profile in AWS_PROFILE environment variable[7] in your local system. Please note that both of these changes will impact all AWS calls running on your local system.

Next Steps:

a. You noted lambda deploys work. If so, does your current code work on lambda itself even though it fails locally? If yes, it would confirm our assumption on SSO credentials location. b. Do use any of the steps noted above to ensure your app can find SSO profile credentials. Do test the same in a non production environment.

Considering the environment specific nature of the issue, we could go on a call/screenshare session in order to expedite the issue resolution here. My shift timings are 2:30-10:30 AM UTC, Tue-Sat. Should you choose to schedule a call, please get back with your contact number(with country code) and preferred time slots (in UTC).

Alternatively, you could always initiate a call/chat from the case 24x7 without scheduling in order to get immediate live support or if our time zones differ.

Looking forward to hearing from you soon.

Reference

[1] https://docs.aws.amazon.com/sdk-for-net/v3/developer-guide/creds-assign.html [2] https://docs.aws.amazon.com/sdkfornet/v3/apidocs/items/SQS/TSQSClient.html [3] https://docs.aws.amazon.com/sdk-for-net/v3/developer-guide/net-dg-config-ref.html#net-dg-config-ref-elements-ref [4] https://docs.aws.amazon.com/sdk-for-net/v3/developer-guide/sso.html#sso-generate-use-token-overview [5] https://docs.aws.amazon.com/sdk-for-net/v3/developer-guide/sso-tutorial-app-only.html#sso-tutorial-app-only-code [6] https://docs.aws.amazon.com/sdkfornet/v3/apidocs/items/Runtime/TCredentialProfileStoreChain.html [7] AWS_PROFILE environment variable

If you're on a Mac, this is how I fixed it.

1. Download and install AWS CLI
2. Install aws config
3. Fill in your credentials in the terminal.

You can get your credentials by logging into AWS and clicking on your account in the top right hand corner, then click Security credentials and click Create Access Key.

I know this question has a lot of answers, but I don't see this one exactly...

I had a credentials AND a config file in my /.aws/ folder. The config file was setup correctly, however I was still receiving this error. My solution was to remove the credentials file completely from my /.aws/ folder. Hopefully this helps someone!

setting the profile name "default" (all lowercase) works for me