1

We're trying to access AWS Services from a private subnet in a VPC using a VPC endpoint or Private Link. We're trying to avoid adding a NAT gateway on the private subnet.

We created/added a VPC Endpoints (i.e. AWS Service for EC2 and S3)
com.amazonaws.us-east-2.ec2
com.amazonaws.us-east-2.s3

But we're not able to access something like com.amazonaws.us-east-2.iam; is there an iam endpoint or is this supported or is there any workaround
for us to use iam via VPC Endpoint on us-east-2?

Here's the error we're getting when we use the latest version of Java AWS SDK to get ec2 instance attached iam role programatically

org.apache.http.conn.ConnectTimeoutException: Connect to iam.amazonaws.com:443 [iam.amazonaws.com/

Thanks for any information you can provide.

bherto39
  • 1,516
  • 3
  • 14
  • 29

1 Answers1

4

As of May 2022, VPC endpoint for IAM is not supported. You'd have to connect to IAM via internet. Or as a workaround, you can do IAM actions in CloudFormation.

jellycsc
  • 10,904
  • 2
  • 15
  • 32
  • Thanks for that quick answer, now I can search about that workaround in cloudformation. Cheers =) – bherto39 May 19 '22 at 16:16
  • @bherto39 Absolutely :) – jellycsc May 19 '22 at 16:23
  • Here is the list of currently supported AWS resources: https://docs.aws.amazon.com/vpc/latest/privatelink/aws-services-privatelink-support.html It's a shame IAM is not part of it. – cedric Sep 15 '22 at 13:16
  • @jellycsc So , for further clarification, this would mean a VPC endpoint for cloudformation and using a cloudformation template that creates IAM Roles and policies, for example, would work? – Sebastian A Mar 20 '23 at 11:47
  • @SebastianA Yes, that would work. – jellycsc Mar 20 '23 at 15:20