I have an ECS service which is running on Fargate (latest version). The service runs a Java (Spring) application which makes use of the AWS SDK. However, the following error is occurring when making AWS API calls:

Unable to load credentials from any of the providers in the chain AwsCredentialsProviderChain(credentialsProviders=[
    EnvironmentVariableCredentialsProvider(), 
    SystemPropertyCredentialsProvider(), 
    ProfileCredentialsProvider(profileName=default, profileFile=ProfileFile(sections=[])), 
    InstanceProfileCredentialsProvider()
]) : [
    EnvironmentVariableCredentialsProvider(): Unable to load credentials from system settings. Access key must be specified either via environment variable (AWS_ACCESS_KEY_ID) or system property (aws.accessKeyId).,

    SystemPropertyCredentialsProvider(): Unable to load credentials from system settings. Access key must be specified either via environment variable (AWS_ACCESS_KEY_ID) or system property (aws.accessKeyId).,

    ProfileCredentialsProvider(profileName=default, profileFile=ProfileFile(sections=[])): Profile file contained no credentials for profile 'default': ProfileFile(sections=[]),

    InstanceProfileCredentialsProvider(): Failed to load credentials from IMDS.
]

My task is configured to use a Task Role, which looks like this:

{
    // ...
    "AssumeRolePolicyDocument": {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Principal": {
                    "Service": "ecs-tasks.amazonaws.com"
                },
                "Action": "sts:AssumeRole"
            }
        ]
    }
}

The role also has numerous policies to allow access to various AWS services. I’ve confirmed that, while “SSH’d” into the container, I can execute AWS API calls via the CLI — for example, I can list the contents of a bucket which is described by one of the policies on the role. So thinks appear to be “correct” in this regard.

When I connect to the service (via ecs execute-command), here’s what I see:

1. aws sts get-caller-identity gives a valid response.
2. curl 169.254.170.2/v2/metadata returns metadata correctly.
3. curl 169.254.170.2${AWS_CONTAINER_CREDENTIALS_RELATIVE_URI} returns an access key id, secret access key, and token.

In the error above, I’d expect the InstanceProfileCredentialsProvider to be the provider which ends up “finding credentials”. But I’m not sure how to resolve the error message: Failed to load credentials from IMDS.