AWS

CredentialsNotSupported - Credentials Not Supported

Getting a **CredentialsNotSupported** error means the AWS service doesn't accept the credential type you're using—some operations require specific authentication methods like IAM roles, while others accept access keys. This client-side error (4xx) happens when AWS validates credential types. Most common when using access keys for operations that require IAM roles, but also appears when credential formats are incorrect, services have specific authentication requirements, authentication methods don't match service expectations, or temporary credentials aren't supported for the operation.

#Common Causes

  • Identity: Credential type not supported by operation. IAM role required but access keys used. Service Control Policy (SCP) restricts credential types.
  • Network: VPC endpoint credential restrictions. API Gateway authentication method mismatch.
  • Limits: Wrong authentication method used. Service doesn't accept these credentials. Credential format incorrect for service. Temporary credentials not supported.

Solutions

  1. 1Step 1: Diagnose - Check which credentials are being used: aws configure list. Verify credential source (access keys, IAM role, etc.). Check if operation requires specific credential type.
  2. 2Step 2: Diagnose - Review service authentication requirements: Check AWS service documentation. Verify if IAM role is required. Check if access keys are supported.
  3. 3Step 3: Diagnose - Check if running on EC2/Lambda: If on EC2, use instance profile: aws sts get-caller-identity. If on Lambda, use execution role. Verify IAM role is attached.
  4. 4Step 4: Fix - Use IAM role for EC2/Lambda: Attach IAM role to EC2 instance. Or use Lambda execution role. Verify role has required permissions: aws iam get-role --role-name ROLE_NAME.
  5. 5Step 5: Fix - Switch credential type: For EC2 operations, use instance profile. For Lambda, use execution role. For CLI, use access keys: aws configure set aws_access_key_id KEY_ID.

</>Code Examples

Check Current Credentials and Source
1#!/bin/bash
2# Check which credentials are being used
3echo "=== Current Credentials Configuration ==="
4aws configure list
5
6# Check credential source
7echo "\n=== Credential Source ==="
8echo "Checking if using IAM role (EC2 instance profile)..."
9aws sts get-caller-identity --query '[Account,Arn,UserId]' --output table
10
11# Extract role name from ARN
12ROLE_ARN=$(aws sts get-caller-identity --query Arn --output text 2>/dev/null)
13if [[ ${ROLE_ARN} == *"assumed-role"* ]]; then
14  ROLE_NAME=$(echo ${ROLE_ARN} | cut -d'/' -f2)
15  echo "Using IAM role: ${ROLE_NAME}"
16elif [[ ${ROLE_ARN} == *"user"* ]]; then
17  echo "Using IAM user credentials"
18else
19  echo "Using access keys or other credentials"
20fi
21
22# Check environment variables
23echo "\n=== Environment Variables ==="
24echo "AWS_ACCESS_KEY_ID: ${AWS_ACCESS_KEY_ID:-(not set)}"
25echo "AWS_SESSION_TOKEN: ${AWS_SESSION_TOKEN:+(set)}"
Verify IAM Role for EC2 Instance
1#!/bin/bash
2# Check if running on EC2 and using instance profile
3echo "=== Checking EC2 Instance Profile ==="
4
5# Get instance metadata
6INSTANCE_ID=$(curl -s http://169.254.169.254/latest/meta-data/instance-id 2>/dev/null)
7if [ ! -z "${INSTANCE_ID}" ]; then
8  echo "Running on EC2 instance: ${INSTANCE_ID}"
9  
10  # Get IAM role name
11  ROLE_NAME=$(curl -s http://169.254.169.254/latest/meta-data/iam/security-credentials/ 2>/dev/null | head -1)
12  if [ ! -z "${ROLE_NAME}" ]; then
13    echo "Instance profile role: ${ROLE_NAME}"
14    
15    # Get role details
16    echo "\n=== IAM Role Details ==="
17    aws iam get-role --role-name ${ROLE_NAME} \
18      --query 'Role.[RoleName,Arn,CreateDate]' \
19      --output table 2>&1
20  else
21    echo "✗ No IAM role attached to instance"
22    echo "Attach IAM role via EC2 Console or:"
23    echo "aws ec2 associate-iam-instance-profile --instance-id ${INSTANCE_ID} --iam-instance-profile Name=PROFILE_NAME"
24  fi
25else
26  echo "Not running on EC2 - using configured credentials"
27fi
Switch to Appropriate Credential Type
1#!/bin/bash
2# For EC2 operations, ensure using instance profile
3echo "=== For EC2 Operations ==="
4echo "If on EC2, use instance profile (automatic):"
5echo "aws ec2 describe-instances"
6
7# For Lambda, use execution role
8echo "\n=== For Lambda Functions ==="
9echo "Lambda automatically uses execution role"
10echo "Verify role is attached: aws lambda get-function --function-name FUNCTION_NAME --query 'Configuration.Role'"
11
12# For CLI operations, can use access keys
13echo "\n=== For CLI Operations ==="
14echo "Can use access keys:"
15echo "aws configure set aws_access_key_id KEY_ID"
16echo "aws configure set aws_secret_access_key SECRET_KEY"
17
18# Test credentials
19echo "\n=== Testing Credentials ==="
20aws sts get-caller-identity --output table
21
22# If CredentialsNotSupported, try different method
23echo "\n=== If CredentialsNotSupported Error ==="
24echo "1. For EC2: Ensure instance has IAM role attached"
25echo "2. For Lambda: Verify execution role is configured"
26echo "3. For CLI: Use access keys or assume role"
27echo "4. Check service documentation for required credential type"

Related Errors

InvalidAccessKeyIdInvalidClientTokenId

Provider Information

This error code is specific to AWS services. For more information, refer to the official AWS documentation.

CredentialsNotSupported - Credentials Not Supported | AWS Error Reference | Error Code Reference