By using AWS re:Post, you agree to the AWS re:Post Terms of Use

Why does ec2 describe-regions require an access key?

0

I'm looking for a way to enumerate AWS regions, without using access key or awsdk at all. Good'old curl from shell. The code has to be future-proof.

I know AWS has provided publicly accessible API like this: https://aws.amazon.com/blogs/developer/querying-the-public-ip-address-ranges-for-aws/

Why is it that someone has to manually maintain a list? When AWS can just provide an public HTTP endpoint: https://github.com/jsonmaur/aws-regions

asked 24 days ago44 views
2 Answers
1

Hello.

The "describe-regions" command outputs the regions enabled in your AWS account.
Since this command displays information in your AWS account, you will need to use an access key.
https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/describe-regions.html

In the past, I built a system that periodically executed the following command to obtain a list of AWS regions.
In this case, there is no need to set an access key.
However, the following command also retrieves a list of regions that are not enabled in your AWS account, so you have to manage that part yourself.
https://docs.aws.amazon.com/vpc/latest/userguide/aws-ip-ranges.html
https://ip-ranges.amazonaws.com/ip-ranges.json

curl https://ip-ranges.amazonaws.com/ip-ranges.json | jq .prefixes[].region | sort | uniq
profile picture
EXPERT
answered 24 days ago
EXPERT
reviewed 24 days ago
  • Yeah, that's exactly what I wrote for my project. I didn't want to make assumptions about the endpoint url

0

The ec2 describe-regions command requires an access key because it's part of the AWS API, which is designed to be secure and authenticate users. However, your question highlights a valid point about the need for a public, unauthenticated way to enumerate AWS regions.

While AWS does provide some public APIs, like the one for querying IP address ranges, they haven't created a similar public endpoint for listing regions. This is likely due to a combination of factors, including security considerations and the fact that regions don't change very frequently.

The reason someone has to manually maintain a list is because AWS hasn't provided an official, public HTTP endpoint for this purpose. While it would be convenient to have such an endpoint, AWS may have reasons for not doing so, such as:

  1. Controlling access to region information
  2. Maintaining flexibility in how they release and manage region information
  3. Ensuring that applications are built to handle region changes gracefully

Without an official public endpoint, developers have resorted to maintaining their own lists or using authenticated API calls. This isn't ideal for scenarios where you need to enumerate regions without credentials or SDKs.

For a future-proof solution using only curl from a shell, you might consider:

  1. Using the public IP address ranges API and parsing it for region information
  2. Periodically checking the AWS documentation for updates
  3. Creating your own updatable list that you maintain based on official AWS announcements

While these aren't perfect solutions, they're the best options available without using access keys or SDKs, given the current limitations in publicly available AWS APIs for region enumeration.
Sources
DescribeRegions - Amazon Elastic Compute Cloud
Example policies to control access the Amazon EC2 API - Amazon Elastic Compute Cloud

profile picture
answered 24 days ago
profile picture
EXPERT
reviewed 24 days ago
  • Wow. I didn't come all the way up here just to be answered by a machine.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions