What is the MOST likely cause of the exception?
IAM policies might take a few minutes to propagate to resources.
Disabled environment variable credentials are still being used by the application.
The AWS SDK does not support credentials obtained using an instance role.
The instance’s security group does not allow access to http://169.254.169.254.
Explanations:
IAM policies typically propagate almost instantly, so this is unlikely to be the cause of the issue. Permissions should be effective immediately after assigning the IAM role to the instance.
Since the application was originally using IAM user access keys stored in environment variables, if the application is not updated to use the instance role for authentication, it may still attempt to access AWS services using the now-deleted IAM user’s credentials, resulting in access denied errors.
The AWS SDK does support credentials obtained from an instance role. If the instance role is correctly configured, the SDK should seamlessly use those credentials.
The instance’s security group controls inbound and outbound traffic to and from the instance, but it does not affect access to the instance metadata service athttp://169.254.169.254. If the application can communicate with the CLI, this option is not the cause of the issue.