So with credentials from the UI it works just fine. It didn't work with the access key and secret that I got for the IAM role.
However, I seem to have worked around this via the following workflow inside the EC2 instance, that has the IAM role assigned:
aws iam create-user --user-name juju-bootstrap aws iam attach-user-policy --policy-arn arn:aws:iam::aws:policy/AmazonEC2FullAccess --user-name juju-bootstrap ACCESS_KEY=$(aws iam create-access-key --user-name juju-bootstrap) AWS_ACCESS_KEY_ID=$(echo $ACCESS_KEY | jq -r '.AccessKey.AccessKeyId') AWS_SECRET_ACCESS_KEY=$(echo $ACCESS_KEY | jq -r '.AccessKey.SecretAccessKey') REGION=$(curl -s http://169.254.169.254/latest/dynamic/instance-identity/document | jq -r .region) CONTROLLER_NAME=aws-$REGION cat > /home/ubuntu/.aws/credentials <<EOL [default] aws_access_key_id = $AWS_ACCESS_KEY_ID aws_secret_access_key = $AWS_SECRET_ACCESS_KEY EOL juju default-region aws $REGION juju bootstrap aws
So with credentials from the UI it works just fine. It didn't work with the access key and secret that I got for the IAM role.
However, I seem to have worked around this via the following workflow inside the EC2 instance, that has the IAM role assigned:
aws iam create-user --user-name juju-bootstrap iam::aws: policy/ AmazonEC2FullAc cess --user-name juju-bootstrap KEY_ID= $(echo $ACCESS_KEY | jq -r '.AccessKey. AccessKeyId' ) ACCESS_ KEY=$(echo $ACCESS_KEY | jq -r '.AccessKey. SecretAccessKey ') 169.254. 169.254/ latest/ dynamic/ instance- identity/ document | jq -r .region) NAME=aws- $REGION .aws/credential s <<EOL access_ key = $AWS_SECRET_ ACCESS_ KEY
aws iam attach-user-policy --policy-arn arn:aws:
ACCESS_KEY=$(aws iam create-access-key --user-name juju-bootstrap)
AWS_ACCESS_
AWS_SECRET_
REGION=$(curl -s http://
CONTROLLER_
cat > /home/ubuntu/
[default]
aws_access_key_id = $AWS_ACCESS_KEY_ID
aws_secret_
EOL
juju default-region aws $REGION
juju bootstrap aws