Packer "NoCredentialProviders" / no valid credential sources in CI
The amazon-ebs builder uses the AWS SDK credential chain. On a fresh runner with no environment credentials, no profile, and no instance role, the chain is empty and the build cannot authenticate.
What this error means
packer build fails early with "NoCredentialProviders: no valid providers in chain" or "no valid credential sources for Amazon EBS found", before any instance launches.
packer
Error: no valid credential sources for Amazon EBS found.
Please see https://www.packer.io/docs/builders/amazon for more information on
providing credentials for the AWS Builder. NoCredentialProviders: no valid
providers in chain.Common causes
No credentials injected into the CI job
No AWS_ACCESS_KEY_ID, no shared profile, and no instance role means the SDK chain has nothing to use.
OIDC role assumption was not configured
The workflow intended to use OIDC but never called the credential action, so no temporary credentials were set.
How to fix it
Assume a role via OIDC
- Grant the workflow
id-token: writepermission. - Use the AWS credentials action to assume a role by OIDC.
- Run packer build in a later step so credentials are present.
.github/workflows/build.yml
permissions:
id-token: write
contents: read
steps:
- uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: arn:aws:iam::111122223333:role/packer-build
aws-region: us-east-1
- run: packer build .Or pass keys from secrets
If OIDC is not available, export access keys from CI secrets in the build step env.
.github/workflows/build.yml
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
AWS_REGION: us-east-1How to prevent it
- Prefer OIDC role assumption over long-lived keys in CI.
- Set the region explicitly so the builder is not left guessing.
- Keep any static keys in CI secrets, never in the template.
Related guides
Packer amazon-ebs "AuthFailure" in CIFix Packer amazon-ebs "AuthFailure" in CI - AWS received the request but rejected the credentials, often from…
Packer amazon-ebs "UnauthorizedOperation" IAM error in CIFix Packer amazon-ebs "UnauthorizedOperation" in CI - the credentials authenticated but the IAM policy lacks…
Packer amazon-ebs quota / limit exceeded in CIFix Packer amazon-ebs quota errors in CI - the account hit an EC2 vCPU or resource limit, so the builder inst…