AWS IAM Diagnostics, figuring out what role your script is using

I just spent the last hour of my day trying to figure out why my script was saying I didn't have access to a particular resource from within my Docker image. I granted access to the IAM Role for my Docker instance (or so I thought) but it still said it had no access to write to a particular bucket. The request seemed like it was saying there was credentials set, but it wasn't indicating what role the request was made by.

At one point, the AWS-SDK for Node.js would print out a very useful message like "User arn:..... is not allowed to perform action s3:putObject on resource arn:...."

Now, however, it simply told me:

{ [AccessDenied: Access Denied]
  message: 'Access Denied',
  code: 'AccessDenied',
  region: null,
  time: Wed Sep 21 2016 13:51:55 GMT+0000 (UTC),
  requestId: 'REQUEST ID',
  extendedRequestId: 'LONG_REQUEST_ID',
  cfId: undefined,
  statusCode: 403,
  retryable: false,

  retryDelay: 13.531139446422458 } 

That's great, I know the error is Access Denied, and I know it's not a retryable error, but what did it try to do, and who tried to do it?

After stumbling around for awhile, I finally found this:


Which told me the IAM role that scripts were assuming in my current EC2/Docker environment:

  "Code" : "Success",
  "LastUpdated" : "2016-09-21T13:53:02Z",
  "InstanceProfileArn" : "arn:aws:iam::ACCOUNT-ID:instance-profile/acindex",
  "InstanceProfileId" : "INSTANCE_PROFILE_ID"

Not the role I thought it was running as....

Add the permissions to that ARN, and we're set.