0

My environments are all private. I have a created an STS endpoint in ca-central-1. It has 2 subnets, one for ca-cental-1a and another in ca-central-1b. For some odd reason for both my environments that have the same sts endpoints settings, the STS connection only works for ca-central-1a. We have enabled "private dns names enabled" to True as our networks are private.

I tested by creating instances for both az and only the instance in ca-central-1a works when i test by calling aws sts get-caller-identity. The 1b az aws sts command just hangs. We have checked NACLS and both subnets use the same rules.

Is this a configuration issue or aws bug?

Thanks

chocokoala
  • 191
  • 4
  • 15

1 Answers1

0

I have possible work arounds. It's still weird that all my instances that have same settings and cli version don't work until az zone 2 does one of the other while the az1 instances don't need to do them.

  1. Upgrade the AWS CLI to v2. The new version defaults to using the regional STS endpoint.

  2. Add sts_regional_endpoints = regional to .aws/config file on the AWS CLI [A]. This will change the STS endpoint to use the regional endpoint on older AWS CLI versions.

chocokoala
  • 191
  • 4
  • 15