@@ -155,7 +155,7 @@ export class AwsClient extends BaseExternalAccountClient {
155155 // The credential config contains all the URLs by default but clients may be running this
156156 // where the metadata server is not available and returning the credentials through the environment.
157157 // Removing this check may break them.
158- if ( this . shouldUseMetadataServer ( ) && this . imdsV2SessionTokenUrl ) {
158+ if ( ! this . regionFromEnv && this . imdsV2SessionTokenUrl ) {
159159 metadataHeaders [ 'x-aws-ec2-metadata-token' ] =
160160 await this . getImdsV2SessionToken ( ) ;
161161 }
@@ -167,6 +167,10 @@ export class AwsClient extends BaseExternalAccountClient {
167167 if ( this . securityCredentialsFromEnv ) {
168168 return this . securityCredentialsFromEnv ;
169169 }
170+ if ( this . imdsV2SessionTokenUrl ) {
171+ metadataHeaders [ 'x-aws-ec2-metadata-token' ] =
172+ await this . getImdsV2SessionToken ( ) ;
173+ }
170174 // Since the role on a VM can change, we don't need to cache it.
171175 const roleName = await this . getAwsRoleName ( metadataHeaders ) ;
172176 // Temporary credentials typically last for several hours.
@@ -316,12 +320,6 @@ export class AwsClient extends BaseExternalAccountClient {
316320 return response . data ;
317321 }
318322
319- private shouldUseMetadataServer ( ) : boolean {
320- // The metadata server must be used when either the AWS region or AWS security
321- // credentials cannot be retrieved through their defined environment variables.
322- return ! this . regionFromEnv || ! this . securityCredentialsFromEnv ;
323- }
324-
325323 private get regionFromEnv ( ) : string | null {
326324 // The AWS region can be provided through AWS_REGION or AWS_DEFAULT_REGION.
327325 // Only one is required.
0 commit comments