`ec2 create-vpc-endpoint` fails to create an AWS service interface endpoint when both the full service-name and service-region are specified

[marcus-jameson]

Describe the bug

When attempting to create a VPC endpoint of type Interface for an AWS service the operation fails when both service-name and service-region are specified, even if they are in alignment.

Regression Issue

• Select this option if this issue appears to be a regression.

Expected Behavior

When creating a VPC interface endpoint for an AWS service, if both service-name and service-region are included in the request and both reference the same region the request should not be blocked by the presence of service-region. Alternatively, if the intended behavior is to discourage the use of these options in combination then either the call should fail with a message that is more helpful than "An internal error has occurred" and ideally the documentation should be updated to mention the conflict between these two options.

Current Behavior

Example command with redacted resource IDs:

aws ec2 create-vpc-endpoint --profile=example \
  --vpc-endpoint-type Interface \
  --vpc-id vpc-0000000000000000 \
  --service-name com.amazonaws.eu-west-1.sts \
  --subnet-ids subnet-0000000000000000 \
  --security-group-id sg-0000000000000000 \
  --tag-specifications "ResourceType=vpc-endpoint,Tags=[{Key=Name,Value=example}]" \
  --service-region=eu-west-1

Result:

An error occurred (InternalError) when calling the CreateVpcEndpoint operation (reached max retries: 2): An internal error has occurred

The full output from this command (with resource IDs & security tokens redacted) run in debug mode is included in the attached file, debug-logs.txt.

Reproduction Steps

The only prerequisites are access to an AWS account with a default VPC and IAM access to create the VPC endpoint. The error can be created with a minimal setup referencing the default VPC. Using eu-west-1 as an example region:

aws ec2 create-vpc-endpoint --profile=example \
  --vpc-endpoint-type Interface \
  --vpc-id vpc-0000000000000000 \
  --service-name com.amazonaws.eu-west-1.sts \
  --service-region=eu-west-1

Possible Solution

No response

Additional Information/Context

No response

CLI version used

aws-cli/2.23.0 Python/3.12.8 Darwin/24.2.0 source/arm64

Environment details (OS name and version, etc.)

macOS 15.2

[RyanFitzSimmonsAK]

Hi @marcus-jameson, thanks for reaching out . I wasn't able to reproduce this behavior. In my testing, I was able to successfully create a VPC endpoint with both service-name and service-region specified. Could you verify if you're using a shared subnet?

[marcus-jameson]

Hi @RyanFitzSimmonsAK, thanks for following up. I just re-tested using the same conditions and am also not able to reproduce the issue anymore. I can verify that I was not using a shared subnet. I originally encountered the issue writing a terraform module which created both the VPC and subnets alongside the desired service endpoints before then reproducing it with the CLI directly. All that said, I'm no longer able to recreate the error with either the CLI or terraform, so I see no reason to keep it open.

[github-actions]

This issue is now closed. Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.