Early access Faultline Teams — organizational memory for recurring CI failures across repos

AWS credentials missing or invalid

The job could not authenticate with AWS.

aws-credentials high confidence auth aws

Matched signals

  • NoCredentialProviders
  • no EC2 instance role found
  • InvalidClientTokenId
  • AuthFailure
  • AccessDenied
  • Unable to locate credentials
  • An error occurred (AuthFailure)
  • could not load credentials

AWS credentials missing or invalid

What this failure means

The job could not authenticate with AWS. Either no credentials are present in the environment, the credentials are expired, or the IAM principal does not have permission to perform the requested action.

Symptoms

Faultline looks for one or more of these log fragments:

NoCredentialProviders
no EC2 instance role found
InvalidClientTokenId
AuthFailure
AccessDenied
Unable to locate credentials
An error occurred (AuthFailure)
could not load credentials

Diagnosis

The job could not authenticate with AWS. Either no credentials are present in the environment, the credentials are expired, or the IAM principal does not have permission to perform the requested action.

Fix steps

  1. In the same CI job environment or container, verify credentials are visible to the AWS SDK: aws configure list — shows which source (env, profile, instance profile) is active.
  2. Confirm the resolved identity with the same runtime context: aws sts get-caller-identity — if this fails, the credential chain has no valid entry.
  3. For ExpiredTokenException: rotate the IAM access key in the console and update the AWS_SECRET_ACCESS_KEY CI secret; for assumed-role sessions, regenerate via aws sts assume-role.
  4. For AccessDenied: decode the error to get the full policy evaluation context: aws sts decode-authorization-message --encoded-message <encoded> — this reveals which statement denied the action.
  5. For OIDC (aws-actions/configure-aws-credentials): verify the IAM role trust policy Condition block — the sub claim format is repo:<org>/<repo>:ref:refs/heads/<branch>.
  6. For SCPs (Service Control Policies) in AWS Organizations: even with IAM allow, an SCP deny at the org level blocks the action — check with your AWS administrator.
  7. Prefer OIDC-based role assumption over long-lived access keys to eliminate credential rotation overhead.

Validation

  • aws configure list
  • aws sts get-caller-identity

Why it matters

AWS SDK clients look for credentials in this order: environment variables, shared credentials file, IAM instance profile, and ECS task role. In CI, the most common failure is missing or expired AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY environment secrets.

Prevention

  • Use short-lived OIDC tokens from your CI provider instead of static IAM keys.
  • Set key rotation reminders and update CI secrets proactively.
  • Scope IAM policies to the minimum required actions and resources.

Try it locally

aws sts get-caller-identity
aws sts get-caller-identity

How Faultline detects it

Use faultline explain aws-credentials to see the full playbook.

faultline analyze build.log
faultline explain aws-credentials

Generated from playbooks/bundled/log/auth/aws-credentials.yaml. Do not edit directly.

Try it on your own failed log

$ faultline analyze failed.log
Install Faultline CLI View on GitHub
Want this across every CI run? Faultline Teams tracks recurring failures across all your repos and surfaces patterns in a shared dashboard.