Using withAWS{} without credentials param, uses parent EC2 credentials correctly on plugin steps but not on a sh 'aws ...'

[nightswimmings]

Jenkins and plugins versions report

Environment

Jenkins: 2.414.2
OS: Linux - 5.4.196-108.356.amzn2.x86_64
Java: 11.0.20.1 - Eclipse Adoptium (OpenJDK 64-Bit Server VM)
---
JDK_Parameter_Plugin:1.2
Office-365-Connector:4.20.0
adoptopenjdk:1.5
allure-jenkins-plugin:2.30.3
ansicolor:1.0.4
ant:497.v94e7d9fffa_b_9
antisamy-markup-formatter:162.v0e6ec0fcfcf6
apache-httpcomponents-client-4-api:4.5.14-208.v438351942757
authentication-tokens:1.53.v1c90fd9191a_b_
authorize-project:1.7.1
aws-credentials:218.v1b_e9466ec5da_
aws-java-sdk:1.12.529-406.vdeff15e5817d
aws-java-sdk-cloudformation:1.12.529-406.vdeff15e5817d
aws-java-sdk-codebuild:1.12.529-406.vdeff15e5817d
aws-java-sdk-ec2:1.12.529-406.vdeff15e5817d
aws-java-sdk-ecr:1.12.529-406.vdeff15e5817d
aws-java-sdk-ecs:1.12.529-406.vdeff15e5817d
aws-java-sdk-efs:1.12.529-406.vdeff15e5817d
aws-java-sdk-elasticbeanstalk:1.12.529-406.vdeff15e5817d
aws-java-sdk-iam:1.12.529-406.vdeff15e5817d
aws-java-sdk-kinesis:1.12.529-406.vdeff15e5817d
aws-java-sdk-logs:1.12.529-406.vdeff15e5817d
aws-java-sdk-minimal:1.12.529-406.vdeff15e5817d
aws-java-sdk-secretsmanager:1.12.529-406.vdeff15e5817d
aws-java-sdk-sns:1.12.529-406.vdeff15e5817d
aws-java-sdk-sqs:1.12.529-406.vdeff15e5817d
aws-java-sdk-ssm:1.12.529-406.vdeff15e5817d
badge:1.9.1
blueocean:1.27.7
blueocean-autofavorite:1.2.5
blueocean-bitbucket-pipeline:1.27.7
blueocean-commons:1.27.7
blueocean-config:1.27.7
blueocean-core-js:1.27.7
blueocean-dashboard:1.27.7
blueocean-display-url:2.4.2
blueocean-events:1.27.7
blueocean-git-pipeline:1.27.7
blueocean-github-pipeline:1.27.7
blueocean-i18n:1.27.7
blueocean-jira:1.27.7
blueocean-jwt:1.27.7
blueocean-personalization:1.27.7
blueocean-pipeline-api-impl:1.27.7
blueocean-pipeline-editor:1.27.7
blueocean-pipeline-scm-api:1.27.7
blueocean-rest:1.27.7
blueocean-rest-impl:1.27.7
blueocean-web:1.27.7
bootstrap5-api:5.3.2-1
bouncycastle-api:2.29
branch-api:2.1128.v717130d4f816
build-name-setter:2.3.0
build-timeout:1.31
build-user-vars-plugin:1.9
caffeine-api:3.1.8-133.v17b_1ff2e0599
checks-api:2.0.2
cloudbees-bitbucket-branch-source:845.v27a_d5823911b_
cloudbees-disk-usage-simple:182.v62ca_0c992a_f3
cloudbees-folder:6.848.ve3b_fd7839a_81
command-launcher:107.v773860566e2e
commons-httpclient3-api:3.1-3
commons-lang3-api:3.13.0-62.v7d18e55f51e2
commons-text-api:1.10.0-78.v3e7b_ea_d5a_fe1
conditional-buildstep:1.4.3
config-file-provider:959.vcff671a_4518b_
configuration-as-code:1700.v6f448841296e
credentials:1271.v54b_1c2c6388a_
credentials-binding:636.v55f1275c7b_27
custom-tools-plugin:0.8
dashboard-view:2.495.v07e81500c3f2
data-tables-api:1.13.6-4
database:191.vd5981b_97a_5fa_
database-postgresql:97.v59f57c5a_b_a_b_6
display-url-api:2.3.9
docker-commons:439.va_3cb_0a_6a_fb_29
docker-workflow:572.v950f58993843
durable-task:523.va_a_22cf15d5e0
ec2:1628.v6d7b_fc58b_a_1d
echarts-api:5.4.0-6
email-ext:2.101
extended-choice-parameter:376.v2e02857547b_a_
extended-read-permission:53.v6499940139e5
extensible-choice-parameter:1.8.1
external-monitor-job:215.v2e88e894db_f8
favorite:2.4.3
file-operations:131.v32b_e7824fe95
font-awesome-api:6.4.2-1
git:5.2.0
git-client:4.5.0
git-parameter:0.9.19
git-server:99.va_0826a_b_cdfa_d
github:1.37.3
github-api:1.314-431.v78d72a_3fe4c3
github-branch-source:1741.va_3028eb_9fd21
gitlab-api:5.3.0-91.v1f9a_fda_d654f
gitlab-branch-source:677.v0b_63b_038322b_
gitlab-plugin:1.7.16
google-oauth-plugin:1.0.11
gradle:2.8.2
h2-api:11.1.4.199-12.v9f4244395f7a_
handy-uri-templates-2-api:2.1.8-22.v77d5b_75e6953
htmlpublisher:1.32
http_request:1.18
instance-identity:173.va_37c494ec4e5
ionicons-api:56.v1b_1c8c49374e
jackson2-api:2.15.2-350.v0c2f3f8fc595
jacoco:3.3.4
jakarta-activation-api:2.0.1-3
jakarta-mail-api:2.0.1-3
javadoc:243.vb_b_503b_b_45537
javax-activation-api:1.2.0-6
javax-mail-api:1.6.2-9
jaxb:2.3.8-1
jdk-tool:73.vddf737284550
jenkins-design-language:1.27.7
jersey2-api:2.40-1
jira:3.11
jira-steps:2.0.165.v8846cf59f3db
jjwt-api:0.11.5-77.v646c772fddb_0
jnr-posix-api:3.1.18-1
job-dsl:1.85
jobConfigHistory:1229.v3039470161a_d
jquery:1.12.4-1
jquery3-api:3.7.1-1
jsch:0.2.8-65.v052c39de79b_2
junit:1240.vf9529b_881428
junit-attachments:167.vf1d139e316b_3
kubernetes:4029.v5712230ccb_f8
kubernetes-cli:1.12.1
kubernetes-client-api:6.8.1-224.vd388fca_4db_3b_
kubernetes-credentials:0.11
ldap:701.vf8619de9160a_
lockable-resources:1185.v0c528656ce04
logstash:2.5.0218.v0a_ff8fefc12b_
mailer:463.vedf8358e006b_
mapdb-api:1.0.9-28.vf251ce40855d
mask-passwords:173.v6a_077a_291eb_5
matrix-auth:3.2.1
matrix-project:808.v5a_b_5f56d6966
maven-plugin:3.23
mercurial:1260.vdfb_723cdcc81
metrics:4.2.18-442.v02e107157925
mina-sshd-api-common:2.10.0-69.v28e3e36d18eb_
mina-sshd-api-core:2.10.0-69.v28e3e36d18eb_
monitoring:1.95.0
node-iterator-api:49.v58a_8b_35f8363
nodejs:1.6.1
oauth-credentials:0.646.v02b_66dc03d2e
oic-auth:2.6
okhttp-api:4.11.0-157.v6852a_a_fa_ec11
pam-auth:1.10
parameterized-scheduler:255.v73827fcdf618
pipeline-aws:1.43
pipeline-build-step:505.v5f0844d8d126
pipeline-github-lib:42.v0739460cda_c4
pipeline-graph-analysis:202.va_d268e64deb_3
pipeline-groovy-lib:689.veec561a_dee13
pipeline-input-step:477.v339683a_8d55e
pipeline-maven:1342.vfc697b_789147
pipeline-maven-api:1342.vfc697b_789147
pipeline-milestone-step:111.v449306f708b_7
pipeline-model-api:2.2144.v077a_d1928a_40
pipeline-model-definition:2.2144.v077a_d1928a_40
pipeline-model-extensions:2.2144.v077a_d1928a_40
pipeline-rest-api:2.33
pipeline-stage-step:305.ve96d0205c1c6
pipeline-stage-tags-metadata:2.2144.v077a_d1928a_40
pipeline-stage-view:2.33
pipeline-utility-steps:2.16.0
plain-credentials:143.v1b_df8b_d3b_e48
plugin-util-api:3.3.0
postgresql-api:42.6.0-31.vb_7e76dc13969
prometheus:2.3.3
pubsub-light:1.17
purge-job-history:1.6
pyenv-pipeline:2.1.2
resource-disposer:0.23
role-strategy:689.v731678c3e0eb_
run-condition:1.7
saml:4.429.v9a_781a_61f1da_
scm-api:676.v886669a_199a_a_
script-security:1275.v23895f409fb_d
sidebar-link:2.2.4
skip-certificate-check:1.1
slave-proxy:1.1
snakeyaml-api:2.2-111.vc6598e30cc65
sonar:2.15
sse-gateway:1.26
ssh-agent:333.v878b_53c89511
ssh-credentials:308.ve4497b_ccd8f4
ssh-slaves:2.916.vd17b_43357ce4
sshd:3.312.v1c601b_c83b_0e
structs:325.vcb_307d2a_2782
subversion:2.17.3
terraform:1.0.10
testng-plugin:835.v51ed3da_fcc35
thinBackup:1.18
throttle-concurrents:2.14
timestamper:1.26
token-macro:384.vf35b_f26814ec
trilead-api:2.84.v72119de229b_7
uno-choice:2.7.2
variant:60.v7290fc0eb_b_cd
workflow-aggregator:596.v8c21c963d92d
workflow-api:1281.vca_5fddb_3fceb_
workflow-basic-steps:1042.ve7b_140c4a_e0c
workflow-cps:3791.va_c0338ea_b_59c
workflow-durable-task-step:1289.v4d3e7b_01546b_
workflow-job:1346.v180a_63f40267
workflow-multibranch:756.v891d88f2cd46
workflow-scm-step:415.v434365564324
workflow-step-api:639.v6eca_cd8c04a_a_
workflow-support:865.v43e78cc44e0d
ws-cleanup:0.45

What Operating System are you using (both controller, and any agents involved in the problem)?

EC2 Linux 4.14.238-182.421.amzn2.x86_64 #1 SMP Mon Jul 12 21:54:23 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

Reproduction steps

1.Define an EC2 instance with EC2 plugin, and assign some AWS credentials foo_credentials
2.Setup a pipeline script like:

withAWS(region: region){
  try {
    ecrListImages(repositoryName: bar)
  } catch (error) {
    sh "aws ecr create-repository ..."
  }
}

and see how it properly takes AWS credentials defined on the slave image for the ecrListImages step (so it works) but fails because of unauthentication in he manual sh "aws...". If a redundant credentials: my-ec2-assigned-aws-creds is passed as a "credentials:" argument o withAWS, then it works

Expected Results

allow sh "aws.." to assume the ec2 credentials or either document it clearly

Actual Results

Unauthorized when performing the aws ecr command

Anything else?

No response