`aws ec2-instance-connect ssh` didn't work with updated instance connect endpoint

[perotinus]

Describe the bug

It looks like the ec2-instance-connect ssh and open-tunnel commands might not work correctly with EC2 Instance Connect Endpoints that have been updated.

I adjusted the security group on one of my EC2 Instance Connect Endpoints (using aws ec2-instance-connect modify-instance-connect-endpoint, and verified that the update worked, but when I tried to connect to an EC2 instance over SSH via the endpoint, the command failed:

$ aws ec2-instance-connect ssh --debug --instance-id i-XXXX
...
There are no available instance connect endpoints.

I looked at the debug output and noticed this line:

2025-09-10 18:18:54,428 - MainThread - botocore.endpoint - DEBUG - Making request for OperationModel(name=DescribeInstanceConnectEndpoints) with params: {'url_path': '/', 'query_string': '', 'method': 'POST', 'headers': {'Content-Type': 'application/x-www-form-urlencoded; charset=utf-8', 'User-Agent': 'aws-cli/2.29.1 md/awscrt#0.27.6 ua/2.1 os/macos#24.6.0 md/arch#x86_64 lang/python#3.13.7 md/pyimpl#CPython m/Z,C,b,E cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#ec2-instance-connect.ssh'}, 'body': {'Action': 'DescribeInstanceConnectEndpoints', 'Version': '2016-11-15', 'Filter.1.Name': 'state', 'Filter.1.Value.1': 'create-complete', 'Filter.2.Name': 'vpc-id', 'Filter.2.Value.1': 'vpc-XXXXXX'}, 'url': 'https://ec2.us-east-1.amazonaws.com/', 'context': {'client_region': 'us-east-1', 'client_config': <botocore.config.Config object at 0x1131e8050>, 'has_streaming_input': False, 'auth_type': None, 'unsigned_payload': None, 'auth_options': ['aws.auth#sigv4']}}

Specifically I noticed 'Filter.1.Name': 'state', 'Filter.1.Value.1': 'create-complete' in the body. I looked at the instance connect endpoints using the describe command, and noticed that the state of the one that I updated was update-complete, which seemed like it would explain why it wasn't found. I recreated the endpoint exactly as it was after the update (except for the state and other automated values), and then SSH started working.

(It's possible there was a confounding factor here; I haven't tried to repro from scratch).

Regression Issue

• Select this option if this issue appears to be a regression.

Expected Behavior

The ec2-instance connect ssh and open-tunnel commands work for updated EC2 instance connect instances.

Current Behavior

The ec2-instance connect ssh and open-tunnel commands don't find updated EC2 instance connect instances.

Reproduction Steps

I believe the following would repro the issue:

1. Create an EC2 instance connect endpoint
2. Update the EC2 instance connect endpoint (using the modify-instance-connect-endpoint CLI command)
3. Try to SSH using the EC2 instance connect endpoint

Possible Solution

Adjust the filter in the SSH command to look for instances with the update-complete state.

Additional Information/Context

No response

CLI version used

aws-cli/2.29.1 Python/3.13.7 Darwin/24.6.0 exe/x86_64

Environment details (OS name and version, etc.)

macOS 15.6.1

[adev-code]

Hello @perotinus, thanks for reaching out. I have reproduced the issue and I have reached out to the ec2-instance-connect service team in regards to the issue. An update will be given if theres any update from the team.

Internal Ref: P303183561

[CharlesReinhardt]

Raised the above pull request to fix the issue. We've reviewed the change internally with other members of the ec2-instance-connect service team.

[adev-code]

Hello @perotinus, fix has been merged and should be available at version 2.30.6.