Something something IPTABLES?
This is a good sign that something is misconfigured. i.e “escape” to the host role is not desirable
Yeah the task is configured with “bridge” mode
But is the task escaping to the host role just because it can? Why wouldn’t it assume the task role even if it had access to the instance metadata?
And if this was the issue the s3 permissions mentioned above would also raise an error, since the instance role doesn’t have s3 permissions and only the task role has them. No issue with s3 though :shrug:
Does the code that interacts with S3 instantiate the client in the SDK in a different manner?
It could be evaluating the credential provider chain differently
Does your SNS topic have an access policy?
The access policy has been the same and unchanged for a long time.
It might be indeed how the sdk is obtaining creds
Damn it, it had to be some silly thing. You were right 
We’ve recently updated the S3 client instantiation, but the SNS client is still using Aws::InstanceProfileCredentials.new, so we are forcing it to get assume the instance role :face_palm:
Thank you all for the help :man-bowing:
Nice! Glad it’s sorted
