AWS IAM role (EC2 / ECS / EKS instance-attached)
When InsightWorker runs on an AWS-hosted box (EC2 instance, ECS task, EKS pod), the cleanest auth path is an attached IAM role. No keys to rotate, no SSO browser flow, no env-var management — the AWS SDK pulls credentials from the instance metadata service (IMDS) automatically.
This is the recommended path for daemon-mode InsightWorker deployments (a scheduled job running unattended on a server).
Configuration
~/.insightworker/.env on the instance:
LLM_PROVIDER=bedrock
AWS_REGION=us-east-1
BEDROCK_MODEL=us.anthropic.claude-sonnet-4-5-20250929-v1:0
# Leave AWS credential vars unset. The SDK falls through to instance
# metadata (step 3 in the credential chain).How it works
SDK credential chain:
1. ENV vars (skipped — none set)
2. AWS_PROFILE (skipped — none set)
3. Instance metadata service ◄── this is the role
4. ~/.aws/credentials (skipped — none on the instance)The SDK calls http://169.254.169.254/latest/meta-data/iam/security-credentials/ (IMDSv2 with token), retrieves temporary credentials assigned to the instance role, refreshes them automatically before they expire.
Setting up the role
EC2
- Create an IAM role with the Bedrock policy from aws-sso.md → Required IAM permissions.
- Attach the role to the EC2 instance (Instance Settings → Security → Modify IAM role).
- The role takes effect immediately; restart InsightWorker if it's already running.
ECS Fargate
In your task definition:
{
"taskRoleArn": "arn:aws:iam::123456789012:role/InsightWorkerBedrockRole",
...
}The task role is what the InsightWorker container's processes use for Bedrock calls. (Don't confuse with executionRoleArn, which only governs the agent that pulls images and writes logs.)
EKS
Use IAM Roles for Service Accounts (IRSA). Bind the role to the service account your InsightWorker pod runs under:
apiVersion: v1
kind: ServiceAccount
metadata:
name: insightworker
namespace: prod
annotations:
eks.amazonaws.com/role-arn: arn:aws:iam::123456789012:role/InsightWorkerBedrockRoleThen serviceAccountName: insightworker on the pod spec. The AWS SDK picks up the role via the OIDC provider — no env vars or keys needed.
Verify
On the instance:
aws sts get-caller-identityShould print the assumed role ARN. If it does, InsightWorker will work.
Common gotchas
| Symptom | Cause | Fix |
|---|---|---|
Could not load credentials on EC2 | IMDSv2 token-required mode + outdated SDK | Update Node 18+. AWS SDK for JS v3 supports IMDSv2 by default. |
AccessDeniedException even though role is attached | Policy missing Bedrock actions | Re-check the policy from aws-sso.md |
| Works on EC2, fails on ECS | Used executionRoleArn instead of taskRoleArn | Move the role to taskRoleArn |
| Credentials never refresh | Custom HTTP client overriding the SDK's credential refresh | Use the default SDK client (we do; no override) |
See also
- aws-sso.md — interactive auth on a developer machine
- aws-iam-keys.md — static keys (legacy)
Source: docs/authentication/aws-iam-role.md in the public repo. Open a PR with corrections.