Problem: Unable to Load AWS Credentials

Problem

When you try to access AWS resources like S3, SQS or Redshift, the operation fails with the error:

com.amazonaws.SdkClientException: Unable to load AWS credentials from any provider in the chain: [BasicAWSCredentialsProvider: Access key or secret key is null, com.amazonaws.auth.InstanceProfileCredentialsProvider@a590007a: The requested metadata is not found at https://<ip-address>/latest/meta-data/iam/security-credentials/]

Cause

  • Scenario 1: To access AWS resources such as S3, SQS, or Redshift, the access permissions have to be provided either through an IAM role or through AWS credentials. If these credentials are not provided, then the above error can occur.

  • Scenario 2: The IAM role is provided while launching the cluster, but due to some misconfiguration, the role is not attached correctly. To debug this, run the following command from a notebook that is attached to the cluster:

    %sh
    curl https://<ip-address>/latest/meta-data/iam/security-credentials/<role_name>
    

    You should get a result like this:

    "Code" : "AssumeRoleUnauthorizedAccess",
    "Message" : "EC2 cannot assume the role <role_name>. Please see documentation at https://docs.amazonwebservices.com/IAM/latest/UserGuide/RolesTroubleshooting.html.",
    "LastUpdated" : "2019-05-03T15:36:26Z"
    

Solution

Attach the correct IAM role to the cluster. The trust relationship of the IAM role should have the following policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}