IMDS is queried when credential_process is set

[vincer]

Describe the bug

In my ~/.aws/config I have

[profile foo]
credential_process = foo

For some reason this seems to trigger the IMDS credential provider to try to get credentials from the metadata service which, since I'm not running this in EC2, adds several seconds of latency as it retries the connections a few times.

Regression Issue

• Select this option if this issue appears to be a regression.

Expected Behavior

Not calling the IMDS service when credential_process is set.

Current Behavior

It does call the IMDS service.

Reproduction Steps

~/.aws/config:

credential_process = foo

aws --debug --profile foo sts get-caller-identity

Note in the debug output that it is trying to GET http://169.254.169.254/latest/api/token.

Possible Solution

I'm not entirely sure why this behavior gets triggered, but it feels like a bug. It seems like if the user is setting credential_process, then the SDK should simply use that process and not check other credential providers for creds.

If there is a good reason for this behavior, it would be useful to have an option that is settable in ~/.aws/config to disable it, whether by profile, or globally.

Additional Information/Context

A relatively simple workaround is setting export AWS_EC2_METADATA_DISABLED=true, though not a very user friendly one as we'd have to explain to all our users to set this in their environment.

Rerunning with that set skips the IMDS checks.

SDK version used

aws-cli/2.17.64

Environment details (OS name and version, etc.)

macOS 14