Recently I was upgrading our Node backend and decided to upgrade our S3 helpers from AWS SDKv2 to SDKv3. Apart from splitting the SDK into individual dependencies for each component (very nice), it also makes some pretty major changes around how requests are made.
Once I got my head around creating command objects and sending them to the client instead of just called the appropriate method, the migration was fairly smooth and worked well with the test credentials on my dev machine. Unfortunately, as soon as I started to roll out the changes onto our staging environment, my logs started filling up with familiar "Could not load credentials from any providers" errors. Normally this is a sign to any AWS veterans that you've forgotten to give your EC2 instance the right IAM role, but in this case all the instances had the right role, and the role still had the correct permissions.
After a bit of digging, I came across this forum post which contained the answer. In SDKv3, the credential provider that comes with the individual service packages has been made much stricter and can only read credentials from certain places. This means that the new S3Client can't read credentials inserted into your EC2 instance from its IAM role via the Instance Metadata Service (IMDS).
If you are getting credentials based on your instance's IAM role (and if not, why not?) you need to specify the credential provider explicitly from the credential-provider-node package. So for example, if you need to access S3 resources, you need to do this:
import { S3Client } from '@aws-sdk/client-s3';
import { defaultProvider } from '@aws-sdk/credential-provider-node';
const s3 = new S3Client({
region: 'eu-west-2',
credentials: defaultProvider(),
});
Other clients for other services also have the credentials option. Now you should be able to access your services as you expect!
Top comments (0)