Metadata service credential providers retrieve credentials from EC2 instance metadata service (IMDS) and ECS container metadata service, essential for applications running on AWS compute services.
Retrieves credentials from EC2 instance metadata service for applications running on EC2 instances.
/**
* Creates a credential provider function that reads from the EC2 instance metadata service
* @param init - Optional configuration for the metadata service provider
* @returns Instance metadata credential provider function
*/
function fromInstanceMetadata(init?: RemoteProviderInit & CredentialProviderOptions): AwsCredentialIdentityProvider;Retrieves credentials from ECS container metadata service for applications running in ECS containers.
/**
* Create a credential provider function that reads from ECS container metadata service
* @param init - Optional configuration for the metadata service provider
* @returns Container metadata credential provider function
*/
function fromContainerMetadata(init?: RemoteProviderInit): AwsCredentialIdentityProvider;
interface RemoteProviderInit {
/** Connection timeout in milliseconds for remote requests (default: 1000) */
timeout?: number;
/** Maximum number of HTTP connection retries (default: 0) */
maxRetries?: number;
/** Optional logger instance for debugging */
logger?: Logger;
}Usage Examples:
import { S3Client } from "@aws-sdk/client-s3";
import { fromInstanceMetadata, fromContainerMetadata } from "@aws-sdk/credential-providers";
// Basic EC2 instance metadata credentials
const ec2Client = new S3Client({
region: "us-east-1",
credentials: fromInstanceMetadata()
});
// Basic ECS container metadata credentials
const ecsClient = new S3Client({
region: "us-east-1",
credentials: fromContainerMetadata()
});
// With custom timeout and retries
const robustClient = new S3Client({
region: "us-east-1",
credentials: fromInstanceMetadata({
timeout: 5000, // 5 second timeout
maxRetries: 3, // Retry up to 3 times
logger: console
})
});EC2 instances must be launched with an IAM instance profile:
// The credentials provider automatically detects and uses the instance role
import { fromInstanceMetadata } from "@aws-sdk/credential-providers";
const client = new S3Client({
credentials: fromInstanceMetadata({
timeout: 2000,
maxRetries: 1
})
});Instance metadata credentials are automatically refreshed before expiration:
import { fromInstanceMetadata } from "@aws-sdk/credential-providers";
// Credentials automatically refresh ~5 minutes before expiration
const autoRefreshClient = new S3Client({
credentials: fromInstanceMetadata()
});ECS tasks must specify a task role in the task definition:
{
"family": "my-task",
"taskRoleArn": "arn:aws:iam::123456789012:role/MyECSTaskRole",
"containerDefinitions": [
{
"name": "my-container",
"image": "my-app:latest"
}
]
}ECS automatically provides metadata endpoints via environment variables:
import { fromContainerMetadata } from "@aws-sdk/credential-providers";
// ECS sets AWS_CONTAINER_CREDENTIALS_RELATIVE_URI automatically
const client = new S3Client({
credentials: fromContainerMetadata({
timeout: 3000,
maxRetries: 2
})
});Both EC2 and Fargate launch types support metadata service credentials:
import { fromContainerMetadata } from "@aws-sdk/credential-providers";
// Works on both EC2 and Fargate ECS tasks
const fargateClient = new S3Client({
region: process.env.AWS_REGION,
credentials: fromContainerMetadata({
timeout: 5000
})
});Handle metadata service unavailability:
import {
fromInstanceMetadata,
fromContainerMetadata,
createCredentialChain,
fromEnv
} from "@aws-sdk/credential-providers";
// Try container metadata, then instance metadata, then environment
const adaptiveCredentials = createCredentialChain(
fromContainerMetadata({ timeout: 1000 }),
fromInstanceMetadata({ timeout: 1000 }),
fromEnv()
);
const client = new S3Client({
credentials: adaptiveCredentials
});Configure timeouts for different environments:
import { fromInstanceMetadata } from "@aws-sdk/credential-providers";
// Conservative settings for high-latency environments
const conservativeClient = new S3Client({
credentials: fromInstanceMetadata({
timeout: 10000, // 10 second timeout
maxRetries: 5 // Retry up to 5 times
})
});
// Aggressive settings for low-latency requirements
const aggressiveClient = new S3Client({
credentials: fromInstanceMetadata({
timeout: 500, // 500ms timeout
maxRetries: 0 // No retries
})
});For enhanced security, use VPC endpoints for metadata service access:
// Metadata service access works through VPC endpoints automatically
import { fromInstanceMetadata } from "@aws-sdk/credential-providers";
const vpcClient = new S3Client({
credentials: fromInstanceMetadata({
timeout: 2000
})
});Ensure security groups allow metadata service access (normally enabled by default).
Enable logging to troubleshoot metadata service problems:
import { fromInstanceMetadata, fromContainerMetadata } from "@aws-sdk/credential-providers";
const debugLogger = {
info: (msg: any) => console.log('[INFO]', msg),
warn: (msg: any) => console.warn('[WARN]', msg),
error: (msg: any) => console.error('[ERROR]', msg),
debug: (msg: any) => console.debug('[DEBUG]', msg)
};
try {
const credentials = await fromInstanceMetadata({
logger: debugLogger,
timeout: 5000,
maxRetries: 2
})();
console.log('Metadata credentials retrieved successfully');
} catch (error) {
console.error('Metadata service failed:', error.message);
if (error.message.includes('timeout')) {
console.error('Consider increasing timeout or checking network connectivity');
} else if (error.message.includes('404')) {
console.error('Instance may not have an associated IAM role');
}
}Metadata service credentials are cached until near expiration (typically 5 minutes before).
The underlying HTTP client pools connections to the metadata service for efficiency.
Multiple concurrent credential requests share the same underlying token refresh logic.
import {
fromInstanceMetadata,
fromContainerMetadata,
createCredentialChain
} from "@aws-sdk/credential-providers";
function createAWSCredentials() {
// Automatically works on:
// - EC2 instances (Linux, Windows)
// - ECS containers (EC2 and Fargate)
// - EKS pods (with IAM roles for service accounts)
return createCredentialChain(
fromContainerMetadata({ timeout: 1000 }),
fromInstanceMetadata({ timeout: 1000 })
);
}import { fromInstanceMetadata } from "@aws-sdk/credential-providers";
try {
const credentials = await fromInstanceMetadata({ timeout: 1000 })();
} catch (error) {
switch (error.name) {
case 'TimeoutError':
console.error('Metadata service request timed out');
break;
case 'CredentialsProviderError':
console.error('Instance has no associated IAM role');
break;
case 'NetworkingError':
console.error('Cannot reach metadata service endpoint');
break;
default:
console.error('Metadata service error:', error.message);
}
}