Docker registry on EC2, permissions from instance role doesn't seem to work

I’m trying to set up a registry on EC2 that will use S3 as storage. I can’t seem to get it to work. The docs on the S3 storage backend says that if you’re running on an EC2 instance with an instance role you don’t have to specify any credentials, but this doesn’t seem to work.

In my registry configuration it says:

    layerinfo: inmemory
    region: eu-west-1
    bucket: my-bucket-name
    rootdirectory: docker-registry

When I run aws ls s3://my-bucket-name/docker-registry/ that works fine (I got things set up on my dev box first and tested things out, so that location exists and contains a registry). Obviously my bucket is called something else.

With this configuration it takes a very long time to do curl http://localhost:5000/v2/_catalog, but eventually I get a response with an empty list of repositories (which shouldn’t be empty because I set it up before).

Checking the debug server gives a clue as to what the problem is. curl http://localhost:5001/debug/health returns this:

{"storagedriver_s3":"s3aws: NoCredentialProviders: no valid providers in chain. Deprecated. \n\tFor verbose messaging see aws.Config.CredentialsChainVerboseErrors"}

Which to me sounds like it can’t pick up credentials as the docs say it should.

Is there anything else to making it possible for the container to pick up the credentials automatically?

I’m running on AWS Linux 2016.03.3 with Docker 1.11.1.

I think I can have found the problem. It appears completely unrelated but kind of makes sense. I was browsing the forums and found another thread where someone had had problems when IPv4 forwarding was not on, so I checked whether it was on my machine, and it wasn’t. After running sudo sysctl -w net.ipv4.ip_forward=1 and restarting the Docker daemon my registry could talk to S3 just fine.