diff --git a/git-credential-s3-secrets b/git-credential-s3-secrets
index 2056c43..d2e19e4 100755
--- a/git-credential-s3-secrets
+++ b/git-credential-s3-secrets
@@ -52,16 +52,51 @@ parse_url() {
   done
 }
 
+s3_bucket_region() {
+  local bucket="$1"
+
+  local guess_region="${AWS_DEFAULT_REGION:-}"
+  if [ -z "${guess_region}" ]
+  then
+    # This plug-in may not be executing in an AWS VPC or have access to the IDMS
+    # Fail fast with the --connect-timeout flag
+    local token=$(curl -X PUT -H "X-aws-ec2-metadata-token-ttl-seconds: 60" --fail --silent --show-error --location --connect-timeout 5 http://169.254.169.254/latest/api/token)
+    if [ -n "${token}" ]
+    then
+      guess_region=$(curl -H "X-aws-ec2-metadata-token: $token" --fail --silent --show-error --location http://169.254.169.254/latest/meta-data/placement/region)
+    fi
+  fi
+  if [ -z "${guess_region}" ]
+  then
+    guess_region="us-east-1"
+  fi
+
+  # Buckets in us-east-1 have a LocationConstraint of null
+  # https://docs.aws.amazon.com/cli/latest/reference/s3api/get-bucket-location.html
+  local bucket_region="$(aws s3api get-bucket-location --bucket "${bucket}" --region "${guess_region}" --output text --query "LocationConstraint || 'us-east-1'")"
+
+  echo "${bucket_region}"
+}
+
 s3_download() {
   local bucket="$1"
   local key="$2"
-  local aws_s3_args=("--quiet" "--region=$AWS_DEFAULT_REGION")
+
+  local bucket_region="$(s3_bucket_region "${bucket}")"
+  if [ -z "${bucket_region}" ]
+  then
+    echo "Could not determine the bucket region for ${bucket}" >&2
+    exit 2
+  fi
+
+  local aws_s3_args=("--quiet" "--region=${bucket_region}")
 
   if [[ "${BUILDKITE_USE_KMS:-true}" =~ ^(true|1)$ ]] ; then
     aws_s3_args+=("--sse" "aws:kms")
   fi
 
-  if ! aws s3 cp "${aws_s3_args[@]}" "s3://$1/$2" - ; then
+  local s3_uri="s3://${bucket}/${key}"
+  if ! aws s3 cp "${aws_s3_args[@]}" "${s3_uri}" - ; then
     echo "Failed to download s3://$bucket/$key" >&2
     exit 1
   fi