ashishdhingra
commented
2 days ago @sivakova Good morning. Below is some high level analysis:
- You are probably getting error
Unable to retrieve AWS region from IMDS:from code here - This uses MetadataService from @aws-sdk/credential-providers from AWS JavaScript SDK v3.
- MetadataService class has optional property
ec2MetadataV1Disabled. - AWS CDK's regionFromMetadataService() doesn't set the option
ec2MetadataV1Disabled. Hence, fallback to IMDSv1 should occur automatically by AWS SDK for JavaScript v3 (CDK has no control over it).- It uses endpoint
/latest/dynamic/instance-identity/documentto load identity document that providesregion(along with other data, refer Instance identity documents for Amazon EC2 instances). - If you refer Retrieve the instance identity document for an Amazon EC2 instance, it has the same URL
http://169.254.169.254/latest/dynamic/instance-identity/documentfor retrieving identity document for both IMDSv1 and IMDSv2.
- It uses endpoint
Could you please check on your side if IMDSv1 is not disabled on your EC2 instance? Refer Get the full benefits of IMDSv2 and disable IMDSv1 across your AWS infrastructure, you may select either of values V1 and V2 (token optional) and V2 only (token required) for Metadata version for an EC2 instance.
Also could you try using the latest version of AWS CDK lib (in addition to AWS CDK CLI)?
Thanks, Ashish
mrgrain
sivakova
Describe the bug
I am trying to deploy resources form EC2 instance in cn-north-1 region Metadata token fetch for IMDSv2 fails and it seems like fallback to IMDSv1 doesn't happen. Default region us-east-1 is set in the end and deployment fails.
The issue with credentials in China region started since 2.163.0 aws-cdk version.
build 26-Nov-2024 11:11:13 [11:11:13] [trace] SdkProvider#withAwsCliCompatibleDefaults() build 26-Nov-2024 11:11:13 [11:11:13] Looking up AWS region in the EC2 Instance Metadata Service (IMDS). build 26-Nov-2024 11:11:14 [11:11:14] Unable to retrieve AWS region from IMDS: Error: Error fetching metadata token: TimeoutError: Connection timed out after 1000 ms build 26-Nov-2024 11:11:14 [11:11:14] Unable to determine AWS region from environment or AWS configuration (profile: "default"), defaulting to 'us-east-1' build 26-Nov-2024 11:11:14 [11:11:14] Toolkit stack: CDKToolkit build 26-Nov-2024 11:11:14 [11:11:14] Setting "CDK_DEFAULT_REGION" environment variable to us-east-1
Error message:
build 26-Nov-2024 11:11:17 [11:11:17] red: debug: Need to perform AWS calls for account **, but no credentials have been configured build 26-Nov-2024 11:11:17 [11:11:17] red: debug: Need to perform AWS calls for account **, but no credentials have been configured
Regression Issue
Last Known Working CDK Version
No response
Expected Behavior
The region is set to cn-north-1, credentials is successfully configured, deployment is successful
Current Behavior
The region is set to us-east-1 and credentials is not configured correctly
Reproduction Steps
Deploy any resource from EC2 instance in cn-north-1 region without configured environment variables specifying region, and without configuration file with default profile
Possible Solution
No response
Additional Information/Context
No response
CDK CLI Version
2.171.1
Framework Version
No response
Node.js Version
23.3.0
OS
MacOS
Language
TypeScript
Language Version
5.6.3
Other information
No response