DNS_AWS does not support role credentials from IMDSv2

[pipozzz]

DNS_AWS do not support role credentials from IMDSv2

Steps to reproduce

enable IMDSv2 on ec2

Debug log

acme.sh  --issue .....   --debug 2
[Tue Jan 23 12:06:43 UTC 2024] You haven't specified the aws route53 api key id and and api key secret yet.

[github-actions]

Please upgrade to the latest code and try again first. Maybe it's already fixed. acme.sh --upgrade If it's still not working, please provide the log with --debug 2, otherwise, nobody can help you.

[pipozzz]

No it's not fixed I did it on the latest version, debug log is not needed I think this missing functionality is obvious. I checked your code where it's missing:

file: dns_aws.sh

_use_instance_role() {
  _url="http://169.254.169.254/latest/meta-data/iam/security-credentials/"
  _debug "_url" "$_url"
  if ! _get "$_url" true 1 | _head_n 1 | grep -Fq 200; then
    _debug "Unable to fetch IAM role from instance metadata"
    return 1
  fi
  _aws_role=$(_get "$_url" "" 1)
  _debug "_aws_role" "$_aws_role"
  _use_metadata "$_url$_aws_role"
}

[clsmyth-hellolabs]

Just to make sure I understand...you do NOT wish to set IMDSv2 to "Optional" in the instance settings, correct?

Otherwise, please see below. Set IMDSv2 to "Optional". I did, and it worked for me. It failed with "You haven't specified the aws route53 api key id and and api key secret yet." when IMDSv2 set to "Required".

[pipozzz]

I use required because AWS strongly recommend it , btw it's barking in security hub when you have enabled v1.

[pipozzz]

Hi, I upgraded acme.sh and try rerun --renew command but no luck. I'm getting this error:

[Wed Apr 10 11:27:27 UTC 2024] Response error:
SenderInvalidClientTokenIdThe security token included in the request is invalid.3e91a42b-8398-4a6b-96e6-f3105b08eb21
When I try to get role credentials manually from metadata service it works but using acme.sh

[A1bi]

This seems to be fixed in acme.sh 3.1.0.