iam vpc endpoint

Thank you for providing the details of your setup. There are a few issues with your current configuration that are preventing the IAM VPC endpoint from working as expected:

1. Region mismatch: You're trying to use the IAM VPC endpoint in the ap-northeast-2 (Seoul) region, but you've created the endpoint in us-east-1. The IAM control plane is located in us-east-1, so you're correct in creating the endpoint there. However, you need to ensure your AWS CLI is configured to use the us-east-1 region when making IAM calls.

2. DNS configuration: You've disabled DNS for the VPC endpoint, which means you need to handle DNS resolution yourself. The private hosted zone you've created (iam.us-east-1.amazonaws.com) is not correct. You should create a private hosted zone for "iam.amazonaws.com" instead.

3. DNS resolution: Even with the correct private hosted zone, your EC2 instance in ap-northeast-2 won't be able to resolve the DNS name to the private IP of the endpoint in us-east-1 without additional configuration.

To fix these issues:

1. Ensure your AWS CLI is configured to use the us-east-1 region for IAM calls.

2. Enable DNS for the VPC endpoint in us-east-1. This will automatically create the necessary DNS entries.

3. If you prefer to keep DNS disabled, create a private hosted zone for "iam.amazonaws.com" (not iam.us-east-1.amazonaws.com) in Route 53, and add a CNAME record pointing to the VPC endpoint's DNS name.

4. To allow DNS resolution across regions, you'll need to use AWS Transit Gateway instead of VPC peering. Transit Gateway allows you to share Route 53 Resolver rules across connected VPCs in different regions.

5. Make sure your VPC's DHCP options set is configured to use AmazonProvidedDNS.

After making these changes, try your IAM command again from your EC2 instance. If you've configured everything correctly, the IAM calls should now go through the VPC endpoint in us-east-1.
Sources
Create a VPC endpoint for IAM - AWS Identity and Access Management
IAM service endpoint | AWS re:Post
Interface VPC endpoints - AWS Identity and Access Management

Hi mzhyo,

My understanding is that you don`t have DNS Resolution Enabled on N. Virginia (us-east-1) region VPC, that's correct?

About the Private Hosted Zone you really not allowed to create the iam.amazonaws.com as this domain is reserved. IAM is a global service so, it doesn't have regional endpoints [1] that's why you can't resolve using iam.us-east-1.amazonaws.com.

If you have this disabled so you can't use the private DNS to point your VPC to the IAM URL (iam.amazonaws.com)[2].

To your use case you should get the iam.amazonaws.com to the private IP that your VPC Endpoint is resolving to on the AWS Console, and point to the url iam.amazonaws.com in your EC2 /etc/hosts file.

X.X.X.X iam.amazonaws.com

Once you add this line to the hosts file and with the proper role you will be able to call the aws iam list-roles successfully. Don't forget to check the routes and security groups rules.

[1] https://docs.aws.amazon.com/vpc/latest/privatelink/aws-services-privatelink-support.html

[2] https://docs.aws.amazon.com/vpc/latest/privatelink/create-interface-endpoint.html#prerequisites-interface-endpoints