I'm working on a Java application running on an EC2 instance in AWS. My goal is to access AWS Secrets Manager using an AWS SDK for Java and an IAM role attached to the EC2 instance.
Everything works smoothly when IMDSv2 (Instance Metadata Service version 2) is optional. However, when it's set to required as recommended, I encounter an issue.
Specifically, I'm receiving the error 'software.amazon.awssdk.core.exception.SdkClientException: Unable to load credentials from any of the providers in the chain AwsCredentialsProviderChain'.
How can I resolve this issue and successfully access AWS Secrets Manager with IMDSv2 set to required?
Tried attaching different policies, created some custom ones but the result is same.
java sdk version used:
<dependency>
<groupId>software.amazon.awssdk</groupId>
<artifactId>secretsmanager</artifactId>
<version>2.25.7</version>
</dependency>
I did some more research and was able to figure this out. There have been issues with IMDSv2 network request and what was suggested is to increase the hop limit to '2' on the ec2 instance. As said here in the considerations section as well https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html#imds-considerations
To increase the hop limit: "Use the modify-instance-metadata-options CLI command and set the http-put-response-hop-limit parameter to the required number of hops. In the following example, the hop limit is set to 2. Note that when specifying a value for http-put-response-hop-limit, you must also set http-endpoint to enabled"
Using aws cli: