Update IAM settings for your Workspace

Cloud9 normally manages IAM credentials dynamically. This isn’t currently compatible with the aws-iam-authenticator plugin, so we will disable it and rely on the IAM role instead.

  • Return to your workspace and click the sprocket, or launch a new tab to open the Preferences tab
  • Turn off AWS managed temporary credentials
  • Close the Preferences tab c9disableiam

  • To ensure temporary credentials aren’t already in place we will also remove any existing credentials file:

    rm -vf ${HOME}/.aws/credentials
  • We should configure our aws cli with our current region as default:

    export AWS_REGION=$(curl -s | jq -r .region)
    echo "export AWS_REGION=${AWS_REGION}" >> ~/.bash_profile
    aws configure set default.region ${AWS_REGION}
    aws configure get default.region

Validate the IAM role

Use the GetCallerIdentity CLI command to validate that the Cloud9 IDE is using the correct IAM role.

First, get the IAM role name from the AWS CLI.

INSTANCE_PROFILE_NAME=`basename $(aws ec2 describe-instances --filters Name=tag:Name,Values=aws-cloud9-${C9_PROJECT}-${C9_PID} | jq -r '.Reservations[0].Instances[0].IamInstanceProfile.Arn' | awk -F "/" "{print $2}")`
aws iam get-instance-profile --instance-profile-name $INSTANCE_PROFILE_NAME --query "InstanceProfile.Roles[0].RoleName" --output text

The output is the role name.


Compare that with the result of

aws sts get-caller-identity


If the Arn contains the role name from above and an Instance ID, you may proceed.

    "Account": "123456789012", 
    "UserId": "AROA1SAMPLEAWSIAMROLE:i-01234567890abcdef", 
    "Arn": "arn:aws:sts::123456789012:assumed-role/modernizer-workshop-cl9/i-01234567890abcdef"


If the _Arn contains TeamRole, MasterRole, or does not match the role name, DO NOT PROCEED. Go back and confirm the steps on this page.

    "Account": "123456789012", 
    "UserId": "AROA1SAMPLEAWSIAMROLE:i-01234567890abcdef", 
    "Arn": "arn:aws:sts::123456789012:assumed-role/TeamRole/MasterRole"