With a controller running as a pod on EKS under best practices of Pod Identity and IMDS hops limited to 1, the selection of "Use EC2 instance profile to obtain credentials?" hits an authorization failure when trying to fetch the region list from the IMDS endpoint.

The current implimentation assumes if the EC2 Cloud node is to use EC2 instance profiles, then the controller must also have access. Which it may not.

It would be better to fetch the region list on the controller with implicit Java SDK credential discovery as Pod Identity should still work for that.

Workaround is to set the EKS cluster nodes metadata settings to allow 2 hops, though this is less secure.

For those using [terraform-aws-modules/aws/eks|https://registry.terraform.io/modules/terraform-aws-modules/eks/aws/latest], a recent change improved the default for `
http_put_response_hop_limit` to 1 from 2. Existing cluster with Jenkins controller pods deployed will break.