You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
For some reason this seems to trigger the IMDS credential provider to try to get credentials from the metadata service which, since I'm not running this in EC2, adds several seconds of latency as it retries the connections a few times.
Regression Issue
Select this option if this issue appears to be a regression.
Expected Behavior
Not calling the IMDS service when credential_process is set.
Current Behavior
It does call the IMDS service.
Reproduction Steps
~/.aws/config:
credential_process = foo
aws --debug --profile foo sts get-caller-identity
Note in the debug output that it is trying to GET http://169.254.169.254/latest/api/token.
Possible Solution
I'm not entirely sure why this behavior gets triggered, but it feels like a bug. It seems like if the user is setting credential_process, then the SDK should simply use that process and not check other credential providers for creds.
If there is a good reason for this behavior, it would be useful to have an option that is settable in ~/.aws/config to disable it, whether by profile, or globally.
Additional Information/Context
A relatively simple workaround is setting export AWS_EC2_METADATA_DISABLED=true, though not a very user friendly one as we'd have to explain to all our users to set this in their environment.
Rerunning with that set skips the IMDS checks.
SDK version used
aws-cli/2.17.64
Environment details (OS name and version, etc.)
macOS 14
The text was updated successfully, but these errors were encountered:
Describe the bug
In my ~/.aws/config I have
For some reason this seems to trigger the IMDS credential provider to try to get credentials from the metadata service which, since I'm not running this in EC2, adds several seconds of latency as it retries the connections a few times.
Regression Issue
Expected Behavior
Not calling the IMDS service when
credential_process
is set.Current Behavior
It does call the IMDS service.
Reproduction Steps
~/.aws/config:
aws --debug --profile foo sts get-caller-identity
Note in the debug output that it is trying to GET
http://169.254.169.254/latest/api/token
.Possible Solution
I'm not entirely sure why this behavior gets triggered, but it feels like a bug. It seems like if the user is setting
credential_process
, then the SDK should simply use that process and not check other credential providers for creds.If there is a good reason for this behavior, it would be useful to have an option that is settable in ~/.aws/config to disable it, whether by profile, or globally.
Additional Information/Context
A relatively simple workaround is setting
export AWS_EC2_METADATA_DISABLED=true
, though not a very user friendly one as we'd have to explain to all our users to set this in their environment.Rerunning with that set skips the IMDS checks.
SDK version used
aws-cli/2.17.64
Environment details (OS name and version, etc.)
macOS 14
The text was updated successfully, but these errors were encountered: