Rand Stats




Get AWS IAM role credentials in EC2



# In some application running on EC2

use Kivuli;
use WebService::AWS::S3;

my $k = Kivuli.new(role-name => 'my-iam-role');
my $s3 = WebService::AWS::S3.new(secret-access-key => $k.secret-access-key, access-key-id => $k.access-key-id, security-token => $k.token, region => 'eu-west-2');

# Do something with the S3


This module enables access to AWS IAM role credentials from within an EC2 instance as described here.

The credentials supplied ( AWS_ACCES_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN) can be used to authenticate with another AWS service that the role has been granted access to.

Because the credentials are supplied in a way that is private to the EC2 instance this is a more secure method of obtaining the credentials than, for example, putting them in a configuration file.

The token must be supplied in the headers (or as a query parameter,) for requests to the service, however some services differ as to whether it should or shouldn't be part of the signed headers in the request - please see the documentation for the service you are implementing for details.


Assuming you have a working rakudo installation then you should be able to install this with zef:

 zef install Kivuli

Bear in mind that this will pass its tests and install outside an EC2 instance, which may be useful for example to build a Docker image to upload to AWS, but it will only work correctly on EC2.


This has some fairly specific environmental dependencies, so before raising an issue please check:

Any suggestions/issues/etc can be posted to github and I'll see what I can do.

Licence and Copyright

This is free software please see the LICENCE in the distribution files.

© Jonathan Stowe 2021