diff --git a/authority/provisioner/aws.go b/authority/provisioner/aws.go
index c1c77ce5..cdd06f00 100644
--- a/authority/provisioner/aws.go
+++ b/authority/provisioner/aws.go
@@ -515,6 +515,11 @@ func (p *AWS) readURL(url string) ([]byte, error) {
 	var resp *http.Response
 	var err error
 
+	// Initialize IMDS versions when this is called from the cli.
+	if len(p.IMDSVersions) == 0 {
+		p.IMDSVersions = []string{"v2", "v1"}
+	}
+
 	for _, v := range p.IMDSVersions {
 		switch v {
 		case "v1":
diff --git a/authority/provisioner/aws_test.go b/authority/provisioner/aws_test.go
index dadf1f17..aff0aecb 100644
--- a/authority/provisioner/aws_test.go
+++ b/authority/provisioner/aws_test.go
@@ -141,6 +141,12 @@ func TestAWS_GetIdentityToken(t *testing.T) {
 	p7.config.signatureURL = p1.config.signatureURL
 	p7.config.tokenURL = p1.config.tokenURL
 
+	p8, err := generateAWS()
+	assert.FatalError(t, err)
+	p8.IMDSVersions = nil
+	p8.Accounts = p1.Accounts
+	p8.config = p1.config
+
 	caURL := "https://ca.smallstep.com"
 	u, err := url.Parse(caURL)
 	assert.FatalError(t, err)
@@ -156,6 +162,7 @@ func TestAWS_GetIdentityToken(t *testing.T) {
 		wantErr bool
 	}{
 		{"ok", p1, args{"foo.local", caURL}, false},
+		{"ok no imds", p8, args{"foo.local", caURL}, false},
 		{"fail ca url", p1, args{"foo.local", "://ca.smallstep.com"}, true},
 		{"fail identityURL", p2, args{"foo.local", caURL}, true},
 		{"fail signatureURL", p3, args{"foo.local", caURL}, true},