Error retrieving credentials from the instance profile metadata service

[devendra-gohil-plenar]

I am using Laravel 6 with PHP 7.2 on CentOS 7 Apache server.

On amazon console, I have created a new IAM User with KMS permssions. Then logged in as IAM user and created a new SYMMETRIC Customer managed key using KMS.

I've installed the package in my Laravel project using

composer require stechstudio/laravel-env-security

Also have set composer.json with

"scripts": {
        "post-install-cmd": [
            "php artisan env:decrypt"
        ]

and have set .env keys

ENV_DRIVER=kms
AWS_KMS_KEY=[KMS-KEY-ID]

I have created ~.aws/credentials file and there I have placed

[default]
aws_access_key_id = [Access key ID]
aws_secret_access_key = [Secret]

Now, in my Laravel project's root directory, if I run

sudo php artisan env:edit local

Then copining my exising .env file's content to this one and save it using :wq, it returns following error:

In InstanceProfileProvider.php line 240:

Error retrieving credentials from the instance profile metadata service. (cURL error 28: Connection timed out after 1001 milliseconds (see https://curl.haxx.se/libcurl/c/libcurl-errors.html))

I have checked laravel storage logs and find following stacktrace.

[2020-03-20 14:42:02] local.ERROR: Error retrieving credentials from the instance profile metadata service. (cURL error 28: Connection timed out after 1001 milliseconds (see https://curl.haxx.se/libcurl/c/libcurl-errors.html)) {"exception":"[object] (Aws\\Exception\\CredentialsException(code: 0): Error retrieving credentials from the instance profile metadata service. (cURL error 28: Connection timed out after 1001 milliseconds (see https://curl.haxx.se/libcurl/c/libcurl-errors.html)) at /var/www/html/myproject/httpdocs/vendor/aws/aws-sdk-php/src/Credentials/InstanceProfileProvider.php:240)
[stacktrace]
#0 /var/www/html/myproject/httpdocs/vendor/aws/aws-sdk-php/src/Credentials/InstanceProfileProvider.php(132): Aws\\Credentials\\InstanceProfileProvider->handleRetryableException(Object(GuzzleHttp\\Exception\\ConnectException), Array, 'Error retrievin...')
#1 [internal function]: Aws\\Credentials\\InstanceProfileProvider->Aws\\Credentials\\{closure}()
#2 /var/www/html/myproject/httpdocs/vendor/guzzlehttp/promises/src/Coroutine.php(142): Generator->throw(Object(GuzzleHttp\\Exception\\ConnectException))
#3 /var/www/html/myproject/httpdocs/vendor/guzzlehttp/promises/src/Promise.php(203): GuzzleHttp\\Promise\\Coroutine->_handleFailure(Object(GuzzleHttp\\Exception\\ConnectException))
#4 /var/www/html/myproject/httpdocs/vendor/guzzlehttp/promises/src/Promise.php(156): GuzzleHttp\\Promise\\Promise::callHandler(2, Object(GuzzleHttp\\Exception\\ConnectException), Array)
#5 /var/www/html/myproject/httpdocs/vendor/guzzlehttp/promises/src/TaskQueue.php(47): GuzzleHttp\\Promise\\Promise::GuzzleHttp\\Promise\\{closure}()
#6 /var/www/html/myproject/httpdocs/vendor/guzzlehttp/guzzle/src/Handler/CurlMultiHandler.php(118): GuzzleHttp\\Promise\\TaskQueue->run()
#7 /var/www/html/myproject/httpdocs/vendor/guzzlehttp/guzzle/src/Handler/CurlMultiHandler.php(145): GuzzleHttp\\Handler\\CurlMultiHandler->tick()
#8 /var/www/html/myproject/httpdocs/vendor/guzzlehttp/promises/src/Promise.php(246): GuzzleHttp\\Handler\\CurlMultiHandler->execute(true)
#9 /var/www/html/myproject/httpdocs/vendor/guzzlehttp/promises/src/Promise.php(223): GuzzleHttp\\Promise\\Promise->invokeWaitFn()
#10 /var/www/html/myproject/httpdocs/vendor/guzzlehttp/promises/src/Promise.php(267): GuzzleHttp\\Promise\\Promise->waitIfPending()
#11 /var/www/html/myproject/httpdocs/vendor/guzzlehttp/promises/src/Promise.php(225): GuzzleHttp\\Promise\\Promise->invokeWaitList()
#12 /var/www/html/myproject/httpdocs/vendor/guzzlehttp/promises/src/Promise.php(62): GuzzleHttp\\Promise\\Promise->waitIfPending()
#13 /var/www/html/myproject/httpdocs/vendor/guzzlehttp/promises/src/Coroutine.php(65): GuzzleHttp\\Promise\\Promise->wait()
#14 /var/www/html/myproject/httpdocs/vendor/guzzlehttp/promises/src/Promise.php(246): GuzzleHttp\\Promise\\Coroutine->GuzzleHttp\\Promise\\{closure}(true)
#15 /var/www/html/myproject/httpdocs/vendor/guzzlehttp/promises/src/Promise.php(223): GuzzleHttp\\Promise\\Promise->invokeWaitFn()
#16 /var/www/html/myproject/httpdocs/vendor/guzzlehttp/promises/src/Promise.php(62): GuzzleHttp\\Promise\\Promise->waitIfPending()
#17 /var/www/html/myproject/httpdocs/vendor/guzzlehttp/promises/src/Coroutine.php(85): GuzzleHttp\\Promise\\Promise->wait(false)
#18 /var/www/html/myproject/httpdocs/vendor/guzzlehttp/promises/src/Promise.php(273): GuzzleHttp\\Promise\\Coroutine->wait(false)
#19 /var/www/html/myproject/httpdocs/vendor/guzzlehttp/promises/src/Promise.php(225): GuzzleHttp\\Promise\\Promise->invokeWaitList()
#20 /var/www/html/myproject/httpdocs/vendor/guzzlehttp/promises/src/Promise.php(62): GuzzleHttp\\Promise\\Promise->waitIfPending()
#21 /var/www/html/myproject/httpdocs/vendor/aws/aws-sdk-php/src/AwsClientTrait.php(58): GuzzleHttp\\Promise\\Promise->wait()
#22 /var/www/html/myproject/httpdocs/vendor/aws/aws-sdk-php/src/AwsClientTrait.php(86): Aws\\AwsClient->execute(Object(Aws\\Command))
#23 /var/www/html/myproject/httpdocs/vendor/stechstudio/laravel-env-security/src/Drivers/KmsDriver.php(46): Aws\\AwsClient->__call('encrypt', Array)
#24 /var/www/html/myproject/httpdocs/vendor/laravel/framework/src/Illuminate/Support/Manager.php(166): STS\\EnvSecurity\\Drivers\\KmsDriver->encrypt('ENV_DRIVER=kms\
...')
#25 /var/www/html/myproject/httpdocs/vendor/stechstudio/laravel-env-security/src/Console/Edit.php(113): Illuminate\\Support\\Manager->__call('encrypt', Array)
#26 /var/www/html/myproject/httpdocs/vendor/stechstudio/laravel-env-security/src/Console/Edit.php(61): STS\\EnvSecurity\\Console\\Edit->saveEnvContents('ENV_DRIVER=kms\
...')
#27 [internal function]: STS\\EnvSecurity\\Console\\Edit->handle()
#28 /var/www/html/myproject/httpdocs/vendor/laravel/framework/src/Illuminate/Container/BoundMethod.php(32): call_user_func_array(Array, Array)
#29 /var/www/html/myproject/httpdocs/vendor/laravel/framework/src/Illuminate/Container/Util.php(36): Illuminate\\Container\\BoundMethod::Illuminate\\Container\\{closure}()
#30 /var/www/html/myproject/httpdocs/vendor/laravel/framework/src/Illuminate/Container/BoundMethod.php(90): Illuminate\\Container\\Util::unwrapIfClosure(Object(Closure))
#31 /var/www/html/myproject/httpdocs/vendor/laravel/framework/src/Illuminate/Container/BoundMethod.php(34): Illuminate\\Container\\BoundMethod::callBoundMethod(Object(Illuminate\\Foundation\\Application), Array, Object(Closure))
#32 /var/www/html/myproject/httpdocs/vendor/laravel/framework/src/Illuminate/Container/Container.php(590): Illuminate\\Container\\BoundMethod::call(Object(Illuminate\\Foundation\\Application), Array, Array, NULL)
#33 /var/www/html/myproject/httpdocs/vendor/laravel/framework/src/Illuminate/Console/Command.php(134): Illuminate\\Container\\Container->call(Array)
#34 /var/www/html/myproject/httpdocs/vendor/symfony/console/Command/Command.php(255): Illuminate\\Console\\Command->execute(Object(Symfony\\Component\\Console\\Input\\ArgvInput), Object(Illuminate\\Console\\OutputStyle))
#35 /var/www/html/myproject/httpdocs/vendor/laravel/framework/src/Illuminate/Console/Command.php(121): Symfony\\Component\\Console\\Command\\Command->run(Object(Symfony\\Component\\Console\\Input\\ArgvInput), Object(Illuminate\\Console\\OutputStyle))
#36 /var/www/html/myproject/httpdocs/vendor/symfony/console/Application.php(1001): Illuminate\\Console\\Command->run(Object(Symfony\\Component\\Console\\Input\\ArgvInput), Object(Symfony\\Component\\Console\\Output\\ConsoleOutput))
#37 /var/www/html/myproject/httpdocs/vendor/symfony/console/Application.php(271): Symfony\\Component\\Console\\Application->doRunCommand(Object(STS\\EnvSecurity\\Console\\Edit), Object(Symfony\\Component\\Console\\Input\\ArgvInput), Object(Symfony\\Component\\Console\\Output\\ConsoleOutput))
#38 /var/www/html/myproject/httpdocs/vendor/symfony/console/Application.php(147): Symfony\\Component\\Console\\Application->doRun(Object(Symfony\\Component\\Console\\Input\\ArgvInput), Object(Symfony\\Component\\Console\\Output\\ConsoleOutput))
#39 /var/www/html/myproject/httpdocs/vendor/laravel/framework/src/Illuminate/Console/Application.php(93): Symfony\\Component\\Console\\Application->run(Object(Symfony\\Component\\Console\\Input\\ArgvInput), Object(Symfony\\Component\\Console\\Output\\ConsoleOutput))
#40 /var/www/html/myproject/httpdocs/vendor/laravel/framework/src/Illuminate/Foundation/Console/Kernel.php(131): Illuminate\\Console\\Application->run(Object(Symfony\\Component\\Console\\Input\\ArgvInput), Object(Symfony\\Component\\Console\\Output\\ConsoleOutput))
#41 /var/www/html/myproject/httpdocs/artisan(35): Illuminate\\Foundation\\Console\\Kernel->handle(Object(Symfony\\Component\\Console\\Input\\ArgvInput), Object(Symfony\\Component\\Console\\Output\\ConsoleOutput))
#42 {main}
"} 

Can you please let me know what am I missing?

[bubba-h57]

Breaking down your stack trace:

[2020-03-20 14:42:02] local.ERROR: 

Error retrieving credentials from the instance profile metadata service. (cURL error 28: Connection timed out after 1001 milliseconds (see https://curl.haxx.se/libcurl/c/libcurl-errors.html)) 

"exception": "[object] (Aws\\Exception\\CredentialsException(code: 0): 

Error retrieving credentials from the instance profile metadata service. 

(cURL error 28: Connection timed out after 1001 milliseconds (see https://curl.haxx.se/libcurl/c/libcurl-errors.html)) 

We can see that it is a curl timeout error.

CURLE_OPERATION_TIMEDOUT (28)
Operation timeout. The specified time-out period was reached according to the conditions.

1001 milliseconds is ~ 1 second. So, you are making a request, not getting a response within one second and then curl stops.

The primary cause for this is using the wrong or a non-existent URL. [Verify all your settings.]

The secondary cause for this is a slow/clogged network. [Increase the timeout period.]

Finally, it is possible that you have a firewall or some other network configuration preventing you from reaching the AWS endpoint.

That's my best attempt at troubleshooting from here. :-)

[devendra-gohil-plenar]

It seems that php artisan command is not able to read the AWS credentials (~/.aws/credentials). We have already stored the credentials at my own user home directory /home/[myusername]/.aws/credentials. I am successfully able to run "aws kms encrypt" and "aws kms decrypt" CLI commands to encrypt/decrypt a sample file. Hence, I have proper credentials installed. But when I run the php artisan command then it seems that it cannot access the aws credentials.

Any feedback would be highly appriciated.

[rcadmin]

You are running the artisan command manually, logged in as yourself? Or you are running it via supervisor or cron? If you are running it as yourself, do you have other credentials in your .env file? Those would get used prior to looking in the credentials file.

…

On Wed, Mar 25, 2020 at 10:56 AM devendra-gohil-plenar < ***@***.***> wrote: It seems that php artisan command is not able to read the AWS credentials (~/.aws/credentials). We have already stored the credentials at my own user home directory /home/[myusername]/.aws/credentials. I am successfully able to run "aws kms encrypt" and "aws kms decrypt" CLI commands to encrypt/decrypt a sample file. Hence, I have proper credentials installed. But when I run the php artisan command then it seems that it cannot access the aws credentials. Any feedback would be highly appriciated. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#14 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AA2K235LM5OOY2YBID4FETDRJILSJANCNFSM4LQHZONA> .

-- Bubba Hines | Stechstudio http://www.stechstduio.com <http://www.stechstudio.com> V.P. of Solving Big Problems tel: 630.938.7601 | cell: 704.879.1133

[plenartech]

Hello - I am working with Devendra on this issue. To answer your question - we are running the command 'sudo php artisan env:edit local' as myself directly through the terminal and the AWS credentials are stored in my home directory ~/.aws/credentials. The .env file has the parameters 'ENV_DRIVER' and 'AWS_KMS_KEY' defined as per your guide.

We are still getting the same error of Connection Timeout. I think that php artisan command is not able to retrieve the AWS credentials from my home directory? The credentials are working, as we test AWS CLI commands encrypt/decrypt successfully.

Appreciate your help!

[jszobody]

Not sure what to tell you. Sure sounds like some kind of permission issue here, outside the scope of this specific package. If the AWS php sdk isn't picking up your credentials, that has to be resolved for this package to do its job.

Googling "Error retrieving credentials from the instance profile metadata service" turns up a whole lot of results.