Error when generating TLS certificate using AWS Route53 DNS challange, IAM EC2 instance role and assume role

[tadeuszkleszcz]

Hi,
I am getting the following error:

acme: error presenting token: route53: operation error Route 53: ListResourceRecordSets, get identity: get credentials: operation error STS: AssumeRole, get identity: get credentials: failed to refresh cached credentials, no EC2 IMDS role found, operation error ec2imds: GetMetadata, canceled, context deadline exceeded

Configuration is done as in https://go-acme.github.io/lego/dns/route53/.

The error happens when I run the following commands:

export AWS_REGION=eu-central-1
export AWS_HOSTED_ZONE_ID="<zone ID removed>"
export AWS_ASSUME_ROLE_ARN="arn:aws:iam::<account removed>:role/<role removed>"

lego --dns.resolvers=1.1.1.1:53,8.8.8.8:53 \
     --domains <domain removed> \
     --email <email removed> \
     --dns route53 \
     --accept-tos=true \
     run

AWS IAM roles as set up according the the go-acme documentation.
Lego command is run on a different account than route 53 zone is present.
Access to the account with route 53 zone is done using AWS_ASSUME_ROLE_ARN.

This issue only happens when using the IAM instance profile and assume role to authenticate.
When I have assumed the role manually using aws sts assume-role and exported variables with creds:

• AWS_ACCESS_KEY_ID
• AWS_SECRET_ACCESS_KEY
• AWS_SESSION_TOKEN

Then go-acme successfully generated certs.

Please let me know what can be the cause of this issue and how it can be resolved or how I can diagnose it further.

[tadeuszkleszcz]

I have fixed this issue it turned out to be caused by the timeout while obtaining credentials using the IMDS endpoint.
I have found the solution in AWS SDK for Golang thread: aws/aws-sdk-go#2972 (comment).

I have fixed it by increasing http put response hop limit to 2 on the EC2 using command:

aws ec2 modify-instance-metadata-options \
    --instance-id <instance id> \
    --http-put-response-hop-limit 2