Skip to content

SDK client with CrtHttpEngine hangs on EC2 during credential acquisition #209

New issue
New issue
Open
Open
SDK client with CrtHttpEngine hangs on EC2 during credential acquisition#209
Labels
bugSomething isn't working
@szymonsasin-nordic

Description

@szymonsasin-nordic
szymonsasin-nordic
opened on Oct 30, 2025

Describe the bug

When an SqsClient (or any other aws sdk client) is configured to use the CrtHttpEngine and is running on an EC2 instance, it hangs indefinitely when attempting its first operation (e.g., getQueueUrl). The CRT debug logs indicate that the client is stuck in a loop trying to resolve credentials from the EC2 Instance Metadata Service (IMDS) at 169.254.169.254, but the request never completes.
This suggests that when CrtHttpEngine is set as the client's HTTP engine, the default credential provider chain fails to properly acquire credentials from the instance profile.
The issue is resolved by explicitly setting the credentialsProvider on the SqsClient to a new instance of DefaultChainCredentialsProvider. This works because the credential provider instantiates its own default HTTP client for the IMDS communication, bypassing the CrtHttpEngine for the credential acquisition step.

Expected Behavior

The SqsClient configured with CrtHttpEngine should seamlessly use the default credential provider chain to acquire credentials from the EC2 instance profile without hanging, and then proceed to make the SQS API call.

Current Behavior

The SqsClient call never returns. The application hangs, and CRT logs show repeated, unsuccessful attempts to communicate with the IMDS.

Reproduction Steps

Create a Kotlin application using the AWS SDK for Kotlin.
Configure an SqsClient to use CrtHttpEngine without explicitly setting a credentialsProvider.

val crtSqsClient = SqsClient {
    region = "us-east-1"
    httpClient = CrtHttpEngine()
    // No explicit credentialsProvider
}

Deploy and run this application on an EC2 instance that has an IAM role attached.
Attempt to make an SQS API call, such as getQueueUrl.
Observe that the call hangs and never completes.

Possible Solution

No response

Additional Information/Context

The problem can be worked around by explicitly initializing and setting the DefaultChainCredentialsProvider on the client.

val crtSqsClient = SqsClient {
    region = "us-east-1"
    httpClient = CrtHttpEngine()
    // Explicitly setting the provider works
    credentialsProvider = aws.sdk.kotlin.runtime.auth.credentials.DefaultChainCredentialsProvider()
}

aws-crt-kotlin version used

0.38.13

Kotlin version used

2.2.21

Operating System and version

Linux

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions