Why does ec2 describe-regions require an access key?


I'm looking for a way to enumerate AWS regions, without using access key or awsdk at all. Good'old curl from shell. The code has to be future-proof.

I know AWS has provided publicly accessible API like this: https://aws.amazon.com/blogs/developer/querying-the-public-ip-address-ranges-for-aws/

Why is it that someone has to manually maintain a list? When AWS can just provide an public HTTP endpoint: https://github.com/jsonmaur/aws-regions

preguntada hace 2 meses65 visualizaciones
2 Respuestas


The "describe-regions" command outputs the regions enabled in your AWS account.
Since this command displays information in your AWS account, you will need to use an access key.

In the past, I built a system that periodically executed the following command to obtain a list of AWS regions.
In this case, there is no need to set an access key.
However, the following command also retrieves a list of regions that are not enabled in your AWS account, so you have to manage that part yourself.

curl https://ip-ranges.amazonaws.com/ip-ranges.json | jq .prefixes[].region | sort | uniq
profile picture
respondido hace 2 meses
revisado hace 2 meses
  • Yeah, that's exactly what I wrote for my project. I didn't want to make assumptions about the endpoint url


The ec2 describe-regions command requires an access key because it's part of the AWS API, which is designed to be secure and authenticate users. However, your question highlights a valid point about the need for a public, unauthenticated way to enumerate AWS regions.

While AWS does provide some public APIs, like the one for querying IP address ranges, they haven't created a similar public endpoint for listing regions. This is likely due to a combination of factors, including security considerations and the fact that regions don't change very frequently.

The reason someone has to manually maintain a list is because AWS hasn't provided an official, public HTTP endpoint for this purpose. While it would be convenient to have such an endpoint, AWS may have reasons for not doing so, such as:

  1. Controlling access to region information
  2. Maintaining flexibility in how they release and manage region information
  3. Ensuring that applications are built to handle region changes gracefully

Without an official public endpoint, developers have resorted to maintaining their own lists or using authenticated API calls. This isn't ideal for scenarios where you need to enumerate regions without credentials or SDKs.

For a future-proof solution using only curl from a shell, you might consider:

  1. Using the public IP address ranges API and parsing it for region information
  2. Periodically checking the AWS documentation for updates
  3. Creating your own updatable list that you maintain based on official AWS announcements

While these aren't perfect solutions, they're the best options available without using access keys or SDKs, given the current limitations in publicly available AWS APIs for region enumeration.
DescribeRegions - Amazon Elastic Compute Cloud
Example policies to control access the Amazon EC2 API - Amazon Elastic Compute Cloud

profile picture
respondido hace 2 meses
profile picture
revisado hace 2 meses
  • Wow. I didn't come all the way up here just to be answered by a machine.

No has iniciado sesión. Iniciar sesión para publicar una respuesta.

Una buena respuesta responde claramente a la pregunta, proporciona comentarios constructivos y fomenta el crecimiento profesional en la persona que hace la pregunta.

Pautas para responder preguntas