Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

That can't be right: no way to pass region to AssumeRole STS client #2377

Closed
rix0rrr opened this issue Nov 26, 2018 · 4 comments
Closed

That can't be right: no way to pass region to AssumeRole STS client #2377

rix0rrr opened this issue Nov 26, 2018 · 4 comments
Labels
feature-request A feature should be added or improved.

Comments

@rix0rrr
Copy link
Contributor

rix0rrr commented Nov 26, 2018
edited
Loading

I don't really have a reproducible case for this, but we're working on the AWS CDK using the JS SDK and we get repeated reports of "profiles not working" (no further details sometimes, so I can't really reproduce). While doing a source code review I'm noticing the following:

https://github.com/aws/aws-sdk-js/blob/master/lib/credentials/shared_ini_file_credentials.js#L231

There's no region passed to the STS client used for AssumeRole credentials.

I assume this is done because the assumption is that IAM is global, and so role credentials retrieved in one region will also work in any other region.

However, what about non-classical regions like the China regions and GovCloud? We've had reports of "profiles" not working with GovCloud (aws/aws-cdk#1109, unfortunately no further response but I can only imagine they were using assume-role credentials) and from my experience, since China regions are in a different partition with different credential databases, credentials retrieved in aws will not work in aws-cn, right?

So in short, my hypothetical bug report is that AssumeRole will be broken in China and GovCloud.
@rix0rrr rix0rrr changed the title No way to pass region to STS client That can't be right: no way to pass region to AssumeRole STS client Nov 26, 2018
@srchase srchase added the guidance Question that needs advice or information. label Nov 26, 2018
@srchase
Copy link
Contributor

srchase commented Nov 26, 2018

@rix0rrr

AssumeRole does not have a region option.

You can however set the endpoint on STS. If that region has been disabled (see Activating and Deactivating AWS STS in an AWS Region ), you'd get the RegionDisabled error.

@srchase
Copy link
Contributor

srchase commented Nov 26, 2018

Setting the endpoint on STS:

const sts = new AWS.STS({
  region: 'eu-west-1',
  endpoint: 'sts.eu-west-1.amazonaws.com'
});

const params = {
  ExternalId: '123ABC',
  RoleArn: 'arn:aws:iam::myAccountID:role/myRole',
  RoleSessionName: 'Bob'
}

sts.assumeRole(params, (err,data) => {
  console.log(err,data)
})

@srchase srchase added feature-request A feature should be added or improved. and removed guidance Question that needs advice or information. labels Nov 26, 2018
@rix0rrr rix0rrr closed this as completed Nov 27, 2018
@rix0rrr
Copy link
Contributor Author

rix0rrr commented Nov 27, 2018

Okay I have no idea how that STS client gets its region (given that there's no region argument to it), but it seems to work, so I've got nothing. Sorry for bothering you.

@rix0rrr rix0rrr mentioned this issue Dec 3, 2018
Closed
@lock
Copy link

lock bot commented Sep 29, 2019

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs and link to relevant comments in this thread.

@lock lock bot locked as resolved and limited conversation to collaborators Sep 29, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
feature-request A feature should be added or improved.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rix0rrr @srchase