-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
That can't be right: no way to pass region to AssumeRole STS client #2377
Comments
AssumeRole does not have a region option. You can however set the endpoint on STS. If that region has been disabled (see Activating and Deactivating AWS STS in an AWS Region ), you'd get the |
Setting the endpoint on STS:
|
Okay I have no idea how that STS client gets its region (given that there's no |
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs and link to relevant comments in this thread. |
I don't really have a reproducible case for this, but we're working on the AWS CDK using the JS SDK and we get repeated reports of "profiles not working" (no further details sometimes, so I can't really reproduce). While doing a source code review I'm noticing the following:
https://github.com/aws/aws-sdk-js/blob/master/lib/credentials/shared_ini_file_credentials.js#L231
There's no region passed to the STS client used for AssumeRole credentials.
I assume this is done because the assumption is that IAM is global, and so role credentials retrieved in one region will also work in any other region.
However, what about non-classical regions like the China regions and GovCloud? We've had reports of "profiles" not working with GovCloud (aws/aws-cdk#1109, unfortunately no further response but I can only imagine they were using assume-role credentials) and from my experience, since China regions are in a different partition with different credential databases, credentials retrieved in
aws
will not work inaws-cn
, right?So in short, my hypothetical bug report is that
AssumeRole
will be broken in China and GovCloud.The text was updated successfully, but these errors were encountered: