Creating an AWS Config WithCredentials fails

[lucianthorr]

Confirm by changing [ ] to [x] below to ensure that it's a bug:

• [ x] I've gone though Developer Guide and API reference
• [x ] I've checked AWS Forums and StackOverflow for answers
• [x ] I've searched for previous similar issues and didn't find any solution

Describe the bug
Generating a new AWS Config fails when using credentials from an ec2RoleProvider.
Returns a 403-Unauthorized from the /latest/api/token endpoint (ec2metadata/GetToken)

The code used to do this worked on previous versions of the aws-sdk-go
Worked on v1.23.5 and v1.12.72

Version of AWS SDK for Go?
v1.30.8

Version of Go (go version)?
1.13.5

To Reproduce (observed behavior)
Code is as follows:

func CreateK8sConfig(sess *session.Session) *aws.Config {
	ec2RoleProvider := &ec2rolecreds.EC2RoleProvider{
		Client: ec2metadata.New(sess, &aws.Config{
			// Set a HTTP timeout
			HTTPClient: &http.Client{Timeout: 5 * time.Second},
			// Re-attempt a number of times
			MaxRetries: aws.Int(20),
		}),
		ExpiryWindow: 0,
	}
	creds := credentials.NewChainCredentials([]credentials.Provider{
		&credentials.SharedCredentialsProvider{},
		ec2RoleProvider,
	})
	return aws.NewConfig().WithCredentials(creds)
}

Expected behavior
Should successfully return a config but instead fails after logging 403 Response at the debug log level.

Additional context
This code is used to more reliably generate an aws Config in a kubernetes cluster that uses kube2iam to provide credentials to pods.

[diehlaws]

Hi @lucianthorr, thanks for reaching out to us. This sounds like it's related to the changes brought into the instance metadata service with IMDSv2. Version 1.25.38 introduced support for the secure token required for IMDSv2 which explains why you're not seeing this behavior on 1.23.5 or 1.12.72. We're working with the EKS team internally to mitigate this behavior, in the meantime you should be able to configure your instance's metadata options with an appropriate hop limit based on your use case to reach the underlying instance's metadata service as expected.

[jasdel]

HI @lucianthorr are you still running into this issue? If so any additional details you have would be helpful. As @diehlaws mentioned, it sounds like the hop limit may be causing the issue you're seeing. Especially if your application running within the pod or container is attempting to reach out to EC2's IMDS. Your instance's hop limit can be adjusted via the instance metadata configuration.

[github-actions]

This issue has not received a response in 1 week. If you want to keep this issue open, please just leave a comment below and auto-close will be canceled.