I've used InSpec in the past, but it's been some time. I was recently again evaluating it for my current company when I ran into a situation.

I set up an IAM user with the necessary permissions in order to test out InSpec for a proof of concept and added the profile to my ~/.aws/credentials. I knew the credentials were right because I could test what I wanted with the AWS CLI and get a successful response.

Copycopy code to clipboard
1$ aws iam list-mfa-devices --user-name test-user --profile inspec
2{
3    "MFADevices": [
4        {
5            "UserName": "test-user",
6            "SerialNumber": "arn:aws:iam::12345:mfa/test-user",
7            "EnableDate": "2020-01-02T18:41:22Z"
8        }
9    ]
10}

So, why then, would InSpec tell me that it couldn't find my AWS credentials for the inspec profile when running a simple control?

Copycopy code to clipboard
1title 'AWS IAM compliance'
2
3control 'iam-1.0' do
4  impact 1.0
5  title 'Check test-user user has MFA'
6  desc 'The test-user user should have MFA enabled'
7  describe aws_iam_user(user_name: 'test-user') do
8    it { should have_mfa_enabled }
9  end
10end

AWS credentials are available InSpec!

Copycopy code to clipboard
1$ inspec exec aws -t aws://us-east-1/inspec
2[2021-01-03T19:25:55-07:00] ERROR: It appears that you have not set your AWS credentials. See https://www.inspec.io/docs/reference/platforms for details.
3
4Profile: AWS InSpec Profile (aws)
5Version: 0.1.0
6Target:  aws://us-east-1
7
8  ×  iam-1.0: Check test-user user has MFA
9     ×  AWS IAM User
10     No AWS credentials available
11
12
13Profile: Amazon Web Services  Resource Pack (inspec-aws)
14Version: 1.33.0
15Target:  aws://us-east-1
16
17     No tests executed.
18
19Profile Summary: 0 successful controls, 1 control failure, 0 controls skipped
20Test Summary: 0 successful, 1 failure, 0 skipped

Was I running the correct command to execute my controls? Was I somehow passing my profile to InSpec incorrectly? What was going on?

After some time frustratingly testing numerous different theories, I had another closer look at my ~/.aws/credentials and noticed that some of my profiles, including my inspec profile, looked slightly different than others.

Copycopy code to clipboard
1[default]
2aws_access_key_id = abcd1234
3aws_secret_access_key = abcd1234
4region = us-east-1
5
6[otherprofile]
7aws_access_key_id = abcd1234
8aws_secret_access_key = abcd1234
9region = us-east-1
10
11[inspec]
12AWS_ACCESS_KEY_ID = abcd1234
13AWS_SECRET_ACCESS_KEY = abcd1234
14region = us-east-1

That can't be it, can it? Is it?

Well it turned out that it was. InSpec was not be able to read my inspec profile credentials because AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY were capitalized in my credentials file, because this is how the Ruby AWS SDK works. I copied and pasted from another profile, which I don't recall why I made the keys capitalized, and InSpec couldn't handle it. After changing the keys to aws_access_key_id and aws_secret_access_key, InSpec found my credentials and I was able to run my controls.

So, if you're having trouble with InSpec telling you No AWS credentials available or that It appears that you have not set your AWS credentials, check your credentials file and make sure your capitalization is correct.