Unable to assume web identity inside EC2 when no region is set in the environment. #515
Comments
|
It appears to me that the This One such method I am attempting is to override the configuration region before calling |
|
I think the answer #492 (comment) might be related with this issue: AWS has multiple partitions, so global endpoint must always be referred in a context of a partition. |
I'm not sure if this is entirely correct. Because sts does not care about regionality, the provider is getting confused when we are passing it the |
|
All new documentation for STS recommends using a regionalised endpoint, and therefore I think there may be an issue within this implementation. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html |
|
Thanks for reporting this issue. This looks to be a bug in the SDK's implementation of the updated STS endpoint resolving and web identity support. The STS client used by the web identity token credential provider will use the configured region, if one is set. Though the STS client endpoint lookup no longer allows no region to be specified. This was a bug that was fixed in v0.18.0, and a region must be specified for all clients. This was missed for STS credential providers though. Those credential provider probably should default to |
|
Are you able to suggest a temporary workaround for this issue? I would be able to provide the region at time of configuration. Is there either some way I can pass this through to the resolver, or to force it to use the global region? |
|
Specifying the region either via environment or shared config is the best workaround for this issue at the moment. When investigating this we're also going to see if it makes sense to allow a "default" fallback region to be passed into the LoadAWSDefaultConfig, if one cannot be determined from the environment or shared config. you can also specify a region when calling LoadAWSDefaultConfig directly // Sets the region the configuration will be loaded with. Ignoring any environment,
// or shared config specified region.
cfg, err := external.LoadAWSDefaultConfig(external.WithRegion("us-west-2"))If the SDK were to add support for a "default" region to fallback to, that would probably look like the following. (Note this is not implemented currently). // Sets the region to be used if the region cannot be determined via the environment,
// shared config, or some other means.
cfg, err := external.LoadAWSDefaultConfig(external.WithDefaultRegion("us-west-2")) |
=== Breaking Change --- * `aws/endpoints`: Several functions and types have been removed * Removes `DecodeModel` and `DecodeModelOptions` from the package ([#509](#509)) * Remove Region Constants, Partition Constants, and types use for exploring the endpoint data model ([#512](#512)) * `service/s3/s3crypto`: Package and associated encryption/decryption clients have been removed from the SDK ([#511](#511)) * `aws/external`: Removes several export constants and types ([#508](#508)) * No longer exports AWS environment constants used by the external environment configuration loader * `DefaultSharedConfigProfile` is now defined an exported constant * `aws`: `ErrMissingRegion`, `ErrMissingEndpoint`, `ErrStaticCredentialsEmpty` are now concrete error types ([#510](#510)) Services --- * Synced the V2 SDK with latest AWS service API definitions. SDK Features --- * `aws/signer/v4`: New methods `SignHTTP` and `PresignHTTP` have been added ([#519](#519)) * `SignHTTP` replaces `Sign`, and usage of `Sign` should be migrated before it's removal at a later date * `PresignHTTP` replaces `Presign`, and usage of `Presign` should be migrated before it's removal at a later date * `DisableRequestBodyOverwrite` and `UnsignedPayload` are now deprecated options and have no effect on `SignHTTP` or `PresignHTTP`. These options will be removed at a later date. * `aws/external`: Add Support for setting a default fallback region and resolving region from EC2 IMDS ([#523](#523)) * `WithDefaultRegion` helper has been added which can be passed to `LoadDefaultAWSConfig` * This helper can be used to configure a default fallback region in the event a region fails to be resolved from other sources * Support has been added to resolve region using EC2 IMDS when available * The IMDS region will be used if region as not found configured in either the shared config or the process environment. * Fixes [#244](#244) * Fixes [#515](#515) SDK Enhancements --- * `service/dynamodb/expression`: Add IsSet helper for ConditionBuilder and KeyConditionBuilder ([#494](#494)) * Adds a IsSet helper for ConditionBuilder and KeyConditionBuilder to make it easier to determine if the condition builders have any conditions added to them. * Implements [#493](#493). * `internal/ini`: Normalize Section keys to lowercase ([#495](#495)) * Update's SDK's ini utility to store all keys as lowercase. This brings the SDK inline with the AWS CLI's behavior. SDK Bugs --- * `internal/sdk`: Fix SDK's UUID utility to handle partial read ([#536](#536)) * Fixes the SDK's UUID utility to correctly handle partial reads from its crypto rand source. This error was sometimes causing the SDK's InvocationID value to fail to be obtained, due to a partial read from crypto.Rand. * Fix [#534](#534) * `aws/defaults`: Fix request metadata headers causing signature errors ([#536](#536)) * Fixes the SDK's adding the request metadata headers in the wrong location within the request handler stack. This created a situation where a request that was retried would sign the new attempt using the old value of the header. The header value would then be changed before sending the request. * Fix [#533](#533) * Fix [#521](#521)
Breaking Change --- * `aws/endpoints`: Several functions and types have been removed * Removes `DecodeModel` and `DecodeModelOptions` from the package ([#509](#509)) * Remove Region Constants, Partition Constants, and types use for exploring the endpoint data model ([#512](#512)) * `service/s3/s3crypto`: Package and associated encryption/decryption clients have been removed from the SDK ([#511](#511)) * `aws/external`: Removes several export constants and types ([#508](#508)) * No longer exports AWS environment constants used by the external environment configuration loader * `DefaultSharedConfigProfile` is now defined an exported constant * `aws`: `ErrMissingRegion`, `ErrMissingEndpoint`, `ErrStaticCredentialsEmpty` are now concrete error types ([#510](#510)) Services --- * Synced the V2 SDK with latest AWS service API definitions. SDK Features --- * `aws/signer/v4`: New methods `SignHTTP` and `PresignHTTP` have been added ([#519](#519)) * `SignHTTP` replaces `Sign`, and usage of `Sign` should be migrated before it's removal at a later date * `PresignHTTP` replaces `Presign`, and usage of `Presign` should be migrated before it's removal at a later date * `DisableRequestBodyOverwrite` and `UnsignedPayload` are now deprecated options and have no effect on `SignHTTP` or `PresignHTTP`. These options will be removed at a later date. * `aws/external`: Add Support for setting a default fallback region and resolving region from EC2 IMDS ([#523](#523)) * `WithDefaultRegion` helper has been added which can be passed to `LoadDefaultAWSConfig` * This helper can be used to configure a default fallback region in the event a region fails to be resolved from other sources * Support has been added to resolve region using EC2 IMDS when available * The IMDS region will be used if region as not found configured in either the shared config or the process environment. * Fixes [#244](#244) * Fixes [#515](#515) SDK Enhancements --- * `service/dynamodb/expression`: Add IsSet helper for ConditionBuilder and KeyConditionBuilder ([#494](#494)) * Adds a IsSet helper for ConditionBuilder and KeyConditionBuilder to make it easier to determine if the condition builders have any conditions added to them. * Implements [#493](#493). * `internal/ini`: Normalize Section keys to lowercase ([#495](#495)) * Update's SDK's ini utility to store all keys as lowercase. This brings the SDK inline with the AWS CLI's behavior. SDK Bugs --- * `internal/sdk`: Fix SDK's UUID utility to handle partial read ([#536](#536)) * Fixes the SDK's UUID utility to correctly handle partial reads from its crypto rand source. This error was sometimes causing the SDK's InvocationID value to fail to be obtained, due to a partial read from crypto.Rand. * Fix [#534](#534) * `aws/defaults`: Fix request metadata headers causing signature errors ([#536](#536)) * Fixes the SDK's adding the request metadata headers in the wrong location within the request handler stack. This created a situation where a request that was retried would sign the new attempt using the old value of the header. The header value would then be changed before sending the request. * Fix [#533](#533) * Fix [#521](#521)
Describe the bug
All requests fail when executed on an EC2 (EKS) instance trying to use AssumeWebIdentity and
AWS_REGIONwasn't set.Version of AWS SDK for Go?
v0.20.0
Version of Go (
go version)?go1.14
To Reproduce (observed behavior)
The following code snippet exhibits the problem:
Expected behavior
The code should work but doesn't when running on an EC2 instance assuming a web identity.
Additional context
I debugged the situation a bit, and it seems the internal AssumeRole call is performed using a default AWS config. Since the default config on EC2 doesn't fetch the EC2 metadata region (yet? #244), the call fails with
UnknownEndpointError, even though a region was set on the configuration. From my understanding, the underlying provider in charge of performing the assume-role call doesn't get the manually set region, and uses an empty one instead.I could find no way of setting the region on the provider itself.
If I set
AWS_REGIONfrom inside the process and reload the default configuration once more, the code starts working again. However, this seems overcomplicated and I assume it is not intentional.The text was updated successfully, but these errors were encountered: