Getting error when running Cloudhsm configure-cli with clusterId

The error you're encountering when running the configure-cli with the --cluster-id option is likely related to an issue with Instance Metadata Service Version 2 (IMDSv2). This problem specifically impacts users running the configure tool on SDK versions 5.5.0 and later in containerized environments and utilizing EC2 instance metadata to provide credentials.

To resolve this issue, you need to adjust the PUT response hop limit. The recommended workaround is to set the PUT response hop limit to at least two. This can typically be done through your EC2 instance configuration settings.

It's worth noting that using the -a option with the HSM IP address directly, as you mentioned, bypasses this issue because it doesn't rely on the instance metadata service to retrieve cluster information. However, this method is not recommended for long-term use, as it won't associate the configuration with a cluster ID, which can limit certain functionalities.

If you need to use the --cluster-id option (which is generally preferred), you should:

1. Ensure you're using the correct and full cluster ID.
2. Check that your EC2 instance has the necessary permissions to describe CloudHSM clusters.
3. Verify that your security groups are correctly configured to allow communication with the CloudHSM service.
4. Adjust the PUT response hop limit as mentioned earlier.

If the issue persists after trying these steps, you may need to contact AWS support for further assistance, as there could be underlying network or permission issues specific to your setup.
Sources
Known issues for all HSM instances - AWS CloudHSM
AWS CloudHSM Client SDK 5 configuration examples - AWS CloudHSM
Multi-cluster prerequisites for AWS CloudHSM - AWS CloudHSM