I have created an instance running bare AL2023. This instance has an IAM role asociated which has a single policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"cognito-idp:ListUserPools"
],
"Resource": "*"
}
]
}
The instance has all outbound traffic opened. If I call aws s3api list-buckets --region eu-central-1 it works fine. However if I call aws cognito-idp list-user-pools --max-results 1 --region eu-central-1 it gets stuck and never returns. Running it with --debug it gets stuck at
2023-03-21 15:51:48,435 - MainThread - urllib3.connectionpool - DEBUG - Starting new HTTPS connection (1): cognito-idp.eu-central-1.amazonaws.com:443
Credentials are loaded correctly
2023-03-21 15:51:48,335 - MainThread - botocore.credentials - DEBUG - Found credentials from IAM Role: xxx
If I grab the generated headers the debug is outputting and make a curl request from within the same instance it succeeds.
> curl -X POST -d '{"MaxResults": 1}' \
-H 'X-Amz-Target: AWSCognitoIdentityProviderService.ListUserPools' -H 'Content-Type: application/x-amz-json-1.1' -H 'User-Agent: aws-cli/2.9.19 Python/3.9.16 Linux/6.1.15-28.43.amzn2023.x86_64 source/x86_64.amzn.2023 prompt/off command/cognito-idp.list-user-pools' -H 'X-Amz-Date: 20230321T160116Z' -H 'X-Amz-Security-Token: XXX' -H 'Authorization: XXX' -H 'Content-Length: 17' \
https://cognito-idp.eu-central-1.amazonaws.com:443
{"NextToken":"xxx","UserPools":[{"CreationDate":xxx,"Id":"xxx","LastModifiedDate":xxx,"Name":"xxx"}]}
What is happening? why can't the CLI complete the request when calling cognito? The instance has access to cognito (I can curl fine).
