Search code examples
phpamazon-web-servicesamazon-cognito

Error retrieving credentials from the instance profile metadata server error in AWS SDK

I am developing an web application using PHP. I am storing the user credentials on the AWS Cognito service. I am logging in the user to the Cognito using PHP SDK.

I developed the feature successfully. I tested it locally on my machine, it was working. Then I deployed it onto the staging server, it was working on the staging server as well. But when I deployed it on to the live server, it gave me this error:

(1/1) CredentialsException
Error retrieving credentials from the instance profile metadata server. (cURL error 7: Failed to connect to 169.254.169.254 port 80: Connection refused (see http://curl.haxx.se/libcurl/c/libcurl-errors.html))

This is my code

 try{
                $client = new CognitoIdentityProviderClient([
                    'version' => 'latest',
                    'region' => 'eu-west-2'// env('AWS_REGION', '')
                ]);

                $result = $client->adminInitiateAuth([
                    'AuthFlow' => 'ADMIN_NO_SRP_AUTH',
                    'ClientId' => COGNITO_APP_CLIENT_ID,
                    'UserPoolId' => COGNITO_USER_POOL_ID,
                    'AuthParameters' => [
                    'USERNAME' => $request->email,
                    'PASSWORD' => $request->password,
                ],
                ]);

                $auth_result =  $result->get('AuthenticationResult');
                $cognito_access_token = $auth_result['AccessToken'];
                if(!empty($cognito_access_token))
                {
                    //register the user
                    $reg_user = $this->accRepo->register($request);
                    if($reg_user)
                    {
                        Auth::login($reg_user);
                        $token = $reg_user->createToken($this->tokenTag)->accessToken;
                        unset($reg_user->password);
                        return response()->json([ 'success' => true, 'access_token' => $token, 'account' => $reg_user ], SUCCESS_RESPONSE_CODE);
                    }
                }

            }
            catch(Exception $e)
            {

            }

I am using the exact code and setting and credentials as the local machine and the staging server for the live server. But it does not work on the live server. Working on the other environments. What might be the error? I am deploying it on Heroku.

Solution

  • I am not familiar with Cognito, but the error you're seeing is that your code is attempting to access the Instance Metadata available in EC2. The AWS PHP SDK has a specific order in which it attempts to locate credentials. Here is an outline of different credential methods using the PHP SDK.

    So, I suspect it works on your local machine because you have an IAM profile configured using the AWS CLI aws configure command.

    It most likely works on your staging server because that server has an IAM Role attached to the EC2 instance. The PHP doesn't find a locally configured IAM profile, so it then skips to attempting to access the EC2 metadata, which it does successfully, so it gets authenticated.

    Now, when you deploy to Heroku, it is no longer on an EC2 instance, or in your local environment. So, your CredentialProvider fails. My suggestion would be to utilize Config Vars in Heroku, then change your code to use CredentialProvider::env() as outlined here. You would need to create an IAM user with the same role as your EC2 instance that works (or enough permissions to do what you need to do). This would allow your application to securely access Cognito from an environment external to AWS.