Aws Sdk for PHP: Error Retrieving Credentials from the Instance Profile Metadata Server

Error retrieving credentials from the instance profile metadata server with credentials defined in .aws folder

You probably need to move the .aws folder to the home folder of the service (apache) and not your home folder. The aws sdk can't find it and you receive this error. However, it isn't a good idea to use aws configure inside an EC2 instance.

The http://169.254.169.254/latest/meta-data/ is the meta-data url only available from inside an EC2 instance. For services running in EC2 (or other AWS compute service) you SHOULD NOT use AWS credentials to access services. Instead, you should create an IAM role and add assign it to the instance. From the console, you can do that with the Actions button:

Modify IAM Role

Only assign required permissions to the role (S3 read/write).

Your code ($s3 = new Aws\S3\S3Client) will try to load the default credentials. It will first try to call the meta-data service and get temporary credentials that correspond to the IAM role permissions.

AWS v3 + PHP: Error retrieving credentials from the instance profile metadata server

Think you have some whitespace in the 'credentials' key in your array.

'credentials ' => array('key'=>KEY, 'secret'=>SECRET)

should be

'credentials' => array('key'=>KEY, 'secret'=>SECRET)

Edit: Try updating your credentials to use Aws' credential object

$credentials = new Aws\Credentials\Credentials(AWS_ACCESS_KEY_ID ,AWS_SECRET_ACCESS_KEY);
$config = array(
    'bucket' => BUCKET,
    'region'  => 'eu-west-3',
    'version' => 'latest',
    'credentials  ' => $credentials
  );

Error retrieving credentials from the instance profile metadata server

The error you are getting is a clue:

fopen(http://169.254.169.254/latest/meta-data/iam/security-credentials/):
failed to open stream: Connection timed out

The library is attempting to access the security credentials metadata, but is getting a timeout.

Can you confirm that that URL can be opened from inside the instance? This code should be on a working AWS instance of course, and the metadata URLs should be accessible.

There may be some issue causing that URL to be blocked. Firewall? Security Groups?

Error retrieving credentials from the instance profile metadata server error in AWS SDK

I am not familiar with Cognito, but the error you're seeing is that your code is attempting to access the Instance Metadata available in EC2. The AWS PHP SDK has a specific order in which it attempts to locate credentials. Here is an outline of different credential methods using the PHP SDK.

So, I suspect it works on your local machine because you have an IAM profile configured using the AWS CLI aws configure command.

It most likely works on your staging server because that server has an IAM Role attached to the EC2 instance. The PHP doesn't find a locally configured IAM profile, so it then skips to attempting to access the EC2 metadata, which it does successfully, so it gets authenticated.

Now, when you deploy to Heroku, it is no longer on an EC2 instance, or in your local environment. So, your CredentialProvider fails. My suggestion would be to utilize Config Vars in Heroku, then change your code to use CredentialProvider::env() as outlined here. You would need to create an IAM user with the same role as your EC2 instance that works (or enough permissions to do what you need to do). This would allow your application to securely access Cognito from an environment external to AWS.

AWS Error retrieving credentials from the instance profile metadata server

The meta-data of instance-profile credentials is under

http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance

If that is failing it might be an issue with the hypervisor/droplet that your server has been spun up on. This endpoint will give you the last time credentials were refreshed.

'http://169.254.169.254/latest/meta-data/identity-credentials/ec2/info'

If other servers with identical AMI's and availability zones aren't having an issue, I would log a support ticket, terminate and move on.