credentials changes from v4 to v5

[vaujo6y]

Are there documents on what has changed between version 4 and 5 of the credential management?

I have read:
https://docs.aws.amazon.com/powershell/v5/userguide/migrating-v5.html
and
https://docs.aws.amazon.com/powershell/v5/userguide/creds-assign.html

But something subtle has changed that I haven't been able to locate.

We have an EC2 instance that is a the docker host for a deployment server. The deployment server is an orchestrator for when and how the containers are launched. The containers launch as network = host.

On version 4 both the EC2 and containers when executing AWS cmdlets use the EC2 role. Note: the container can reach the IMDS.
When we migrated to version 5, the EC2 still can run as the role, but the container now says that it can obtain the AWS credentials. Note: It still can access the IMDS.

My question is; Although our infra and processes haven't changed. When we move from v4 to v5 the containers have stopped working. Is this intentional and a change to the security structure? or is this a bug? If it's a change, are there any recommended patterns to run the container using the EC2 Role?

edit:
Reading further I see:
https://aws.amazon.com/blogs/security/get-the-full-benefits-of-imdsv2-and-disable-imdsv1-across-your-aws-infrastructure/

I believe V5 has swapped to SDK v4, which means IMDSv2 is used and this line then jumps out

"A session token can only be used directly from the EC2 instance where that session began."

[afroz429]

Thanks for reporting this. You are right, PowerShell 5 uses .NET SDK v4. Can you please capture the logs and send them to us? The code below enables logs in PowerShell. Please make sure to redact any sensitive output if necessary. Also, it would be great if you could send us instructions for the environment setup to reproduce this issue

Add-AWSLoggingListener -Name "AWS Logs" -LogFilePath "C:\Logs\ps-logs.txt" # or any path
Set-AWSResponseLogging Always
Enable-AWSMetricsLogging