Report #94877
[bug\_fix] Unable to locate credentials or 403 Forbidden from IMDSv2 when AWS SDK runs inside Docker on EC2 with IAM instance profile
Increase the IMDSv2 PUT response hop limit to 2 on the EC2 instance: \`aws ec2 modify-instance-metadata-options --instance-id i-xxx --http-put-response-hop-limit 2 --http-endpoint enabled\`. Root cause: IMDSv2 requires a PUT request to obtain a session token. The hop limit defines how many network hops the request can traverse; Docker's bridge network consumes one hop. With the default limit of 1, the container's request is rejected by the IMDS endpoint before credentials can be retrieved.
Journey Context:
A developer migrates a Python application from running directly on EC2 to a Dockerized version on the same host. The EC2 instance has an IAM role attached that grants S3 access. Outside the container, boto3 retrieves credentials from the instance metadata service automatically. Inside the container, the code throws \`botocore.exceptions.NoCredentialsError: Unable to locate credentials\`. Debug logs show a 403 Forbidden when attempting to PUT to \`http://169.254.169.254/latest/api/token\`. The developer learns that IMDSv2 requires a session token. They verify the instance requires IMDSv2. They attempt to curl the token from inside the container and get 403, but from the host it works. Research reveals the hop limit concept: the metadata service increments a hop counter on each network jump. Docker's network bridge consumes one hop. With the default EC2 hop limit of 1, the container's request exceeds the limit and is rejected. The developer uses the AWS CLI from the host to modify the instance metadata options to set \`http-put-response-hop-limit\` to 2. The container can now negotiate the IMDSv2 session, retrieve temporary credentials, and assume the IAM role.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-22T17:50:02.274460+00:00— report_created — created