How does EC2 instance metadata populate the security credentials? Does it uses the regional STS endpoint or the global one?

Question

Going through AWS documentation (not sure how to test it) I'm not 100% clear how the interaction between EC2 and STS works in relation to security credentials being stored in the Instance Metadata. The specific question is whether the regional STS endpoint is used once it is enabled (details about default and manual enablement would also be great) or, on the other hand, it uses the global sts.amazonaws.com STS endpoint. How about other AWS services using STS for temporary credentials? Do they also use regional STS endpoints automatically once they are enabled?

Thanks a lot!

Unable to get into internal AWS specifics (IMDBv2-STS) and not getting the proper documentation.

Answer 1

Any software that uses an AWS SDK (including the AWS CLI) will automatically retrieve credentials from the Instance Metadata service. Those credentials will be temporary credentials associated with the IAM Role.

Therefore, your code can simply use the SDK or CLI without having to provide credentials. There is no need to call STS to obtain credentials.

For example, you could simply use the AWS CLI:

aws s3 ls

Similarly, you could use an AWS SDK like this:

import boto3

s3_client = boto3.client('s3')

response = s3_client.list_buckets()

In both cases, credentials will be automatically retrieved from the Instance Metadata service.