kubernetes-sigs · haouc · Apr 7, 2026 · oliviassss · Apr 7, 2026 · haouc
diff --git a/pkg/aws/aws_config.go b/pkg/aws/aws_config.go
@@ -2,6 +2,9 @@ package aws
 
 import (
 	"context"
+	"net/http"
+	"time"
+
 	"github.com/aws/aws-sdk-go-v2/aws"
 	awsmiddleware "github.com/aws/aws-sdk-go-v2/aws/middleware"
 	"github.com/aws/aws-sdk-go-v2/aws/ratelimit"
@@ -16,8 +19,15 @@ import (
 
 const (
 	userAgent = "elbv2.k8s.aws"
+	// defaultAWSSDKClientTimeout is the timeout for individual HTTP requests made by AWS SDK clients.
+	defaultAWSSDKClientTimeout = 10 * time.Second
 )
 
+// newDefaultHTTPClient returns an http.Client with the standard AWS SDK timeout.
+func newDefaultHTTPClient() *http.Client {
+	return &http.Client{Timeout: defaultAWSSDKClientTimeout}
+}
+
 func NewAWSConfigGenerator(cfg CloudConfig, ec2IMDSEndpointMode imds.EndpointModeState, metricsCollector *awsmetrics.Collector) AWSConfigGenerator {
 	return &awsConfigGeneratorImpl{
 		cfg:                 cfg,
@@ -42,6 +52,7 @@ func (gen *awsConfigGeneratorImpl) GenerateAWSConfig(optFns ...func(*config.Load
 
 	defaultOpts := []func(*config.LoadOptions) error{
 		config.WithRegion(gen.cfg.Region),
+		config.WithHTTPClient(newDefaultHTTPClient()),
 		config.WithRetryer(func() aws.Retryer {
 			return retry.NewStandard(func(o *retry.StandardOptions) {
 				o.RateLimiter = ratelimit.None

diff --git a/pkg/aws/aws_config_test.go b/pkg/aws/aws_config_test.go
@@ -0,0 +1,25 @@
+package aws
+
+import (
+	"net/http"
+	"testing"
+
+	"github.com/aws/aws-sdk-go-v2/feature/ec2/imds"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func Test_GenerateAWSConfig_SetsHTTPClientTimeout(t *testing.T) {
+	gen := NewAWSConfigGenerator(CloudConfig{
+		Region:     "us-west-2",
+		MaxRetries: 3,
+	}, imds.EndpointModeStateIPv4, nil)
+
+	cfg, err := gen.GenerateAWSConfig()
+	require.NoError(t, err)
+	require.NotNil(t, cfg.HTTPClient)
+
+	httpClient, ok := cfg.HTTPClient.(*http.Client)
+	require.True(t, ok, "HTTPClient should be *http.Client")
+	assert.Equal(t, defaultAWSSDKClientTimeout, httpClient.Timeout)
+}
diff --git a/pkg/aws/cloud.go b/pkg/aws/cloud.go
@@ -53,10 +53,10 @@ func NewCloud(cfg CloudConfig, clusterName string, metricsCollector *aws_metrics
 		ec2IMDSEndpointMode = imds.EndpointModeStateIPv4
 	}
 	endpointsResolver := epresolver.NewResolver(cfg.AWSEndpoints)
-	ec2MetadataCfg, err := config.LoadDefaultConfig(context.TODO(),
-		config.WithRetryMaxAttempts(cfg.MaxRetries),
-		config.WithEC2IMDSEndpointMode(ec2IMDSEndpointMode),
-	)
+	ec2MetadataCfg, err := buildEC2MetadataConfig(cfg.MaxRetries, ec2IMDSEndpointMode)
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to build EC2 metadata config")
+	}
 	ec2Metadata := services.NewEC2Metadata(ec2MetadataCfg, endpointsResolver)
 
 	if len(cfg.Region) == 0 {
@@ -314,3 +314,11 @@ func (c *defaultCloud) Region() string {
 func (c *defaultCloud) VpcID() string {
 	return c.cfg.VpcID
 }
+
+func buildEC2MetadataConfig(maxRetries int, ec2IMDSEndpointMode imds.EndpointModeState) (aws.Config, error) {
+	return config.LoadDefaultConfig(context.TODO(),
+		config.WithHTTPClient(newDefaultHTTPClient()),
+		config.WithRetryMaxAttempts(maxRetries),
+		config.WithEC2IMDSEndpointMode(ec2IMDSEndpointMode),
+	)
+}
diff --git a/pkg/aws/cloud_test.go b/pkg/aws/cloud_test.go
@@ -3,13 +3,16 @@ package aws
 import (
 	"context"
 	"fmt"
+	"net/http"
 	"testing"
 
 	"github.com/aws/aws-sdk-go-v2/aws"
+	"github.com/aws/aws-sdk-go-v2/feature/ec2/imds"
 	"github.com/aws/aws-sdk-go-v2/service/ec2"
 	ec2types "github.com/aws/aws-sdk-go-v2/service/ec2/types"
 	"github.com/golang/mock/gomock"
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 	"sigs.k8s.io/aws-load-balancer-controller/pkg/aws/services"
 	ctrl "sigs.k8s.io/controller-runtime"
 )
@@ -136,3 +139,15 @@ func Test_getVpcID(t *testing.T) {
 		})
 	}
 }
+
+func Test_buildEC2MetadataConfig_SetsHTTPClientTimeout(t *testing.T) {
-func Test_buildEC2MetadataConfig_SetsHTTPClientTimeout(t *testing.T) {
+func Test_buildEC2MetadataConfig_SetsHTTPClientTimeout(t *testing.T) {
+	t.Setenv("AWS_REGION", "us-west-2")
+	t.Setenv("AWS_DEFAULT_REGION", "us-west-2")
-func Test_buildEC2MetadataConfig_SetsHTTPClientTimeout(t *testing.T) {
+func Test_buildEC2MetadataConfig_SetsHTTPClientTimeout(t *testing.T) {
+	t.Setenv("AWS_REGION", "us-west-2")
+	t.Setenv("AWS_DEFAULT_REGION", "us-west-2")
+	t.Setenv("AWS_REGION", "us-west-2")
+	t.Setenv("AWS_DEFAULT_REGION", "us-west-2")
+	cfg, err := buildEC2MetadataConfig(3, imds.EndpointModeStateIPv4)
+	assert.NoError(t, err)
+	assert.NotNil(t, cfg.HTTPClient)
+
+	httpClient, ok := cfg.HTTPClient.(*http.Client)
+	require.True(t, ok, "HTTPClient should be *http.Client")
+	assert.Equal(t, defaultAWSSDKClientTimeout, httpClient.Timeout)
+}