-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
change the default to use regional endpoints for sts #2577
Comments
Hi @mmerickel, thanks for reaching out. You make a good point and using regional endpoints is also recommended here for STS:
However, it would be a breaking change for users who expect and rely on the current behavior. But this is something that can be addressed in the next major version of boto3, similar to how it was introduced in CLI v2 as noted here. In the meantime you can specify the regional endpoint in boto3 as described here in this comment. |
|
Why close this issue? Is there another place where the boto roadmap is tracked? The ticket was labeled a feature request and it sounds like it is acknowledged to be a good request… |
@mmerickel The reason for closing this is because we generally keep feature requests open to track community demand and discuss use cases. In this case I think you have a valid ask, but due to the breaking change issue mentioned earlier it would have to wait until the next major version. And we can’t guarantee timelines for version updates but it may not be for a while. But the team is aware of this request and can plan for consistency with the CLI v2 here in the future. |
…ction (#30580) ### Issue # (if applicable) Per boto/botocore#2577 (comment) setting this to `regional` is still required and recommended for boto3. Closes #30496 ### Reason for this change ### Description of changes ### Description of how you validated changes Added a new unit test and verified with debugger. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ### Debugger ```json { "version": "0.2.0", "configurations": [ { "type": "node", "request": "launch", "name": "Jest", "program": "${workspaceFolder}/node_modules/jest/bin/jest.js", "cwd": "${workspaceFolder}/packages/aws-cdk-lib", "args": [ "--verbose", "-i", "--no-cache", "test/kubectl-provider.test.ts", ], "console": "integratedTerminal", "internalConsoleOptions": "neverOpen", "skipFiles": [ "<node_internals>/**" ], "outFiles": [ "${workspaceFolder}/**/*.(m|c|)js", "!**/node_modules/**" ], } ] } ``` ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…ction (aws#30580) ### Issue # (if applicable) Per boto/botocore#2577 (comment) setting this to `regional` is still required and recommended for boto3. Closes aws#30496 ### Reason for this change ### Description of changes ### Description of how you validated changes Added a new unit test and verified with debugger. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ### Debugger ```json { "version": "0.2.0", "configurations": [ { "type": "node", "request": "launch", "name": "Jest", "program": "${workspaceFolder}/node_modules/jest/bin/jest.js", "cwd": "${workspaceFolder}/packages/aws-cdk-lib", "args": [ "--verbose", "-i", "--no-cache", "test/kubectl-provider.test.ts", ], "console": "integratedTerminal", "internalConsoleOptions": "neverOpen", "skipFiles": [ "<node_internals>/**" ], "outFiles": [ "${workspaceFolder}/**/*.(m|c|)js", "!**/node_modules/**" ], } ] } ``` ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…ction (aws#30580) ### Issue # (if applicable) Per boto/botocore#2577 (comment) setting this to `regional` is still required and recommended for boto3. Closes aws#30496 ### Reason for this change ### Description of changes ### Description of how you validated changes Added a new unit test and verified with debugger. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ### Debugger ```json { "version": "0.2.0", "configurations": [ { "type": "node", "request": "launch", "name": "Jest", "program": "${workspaceFolder}/node_modules/jest/bin/jest.js", "cwd": "${workspaceFolder}/packages/aws-cdk-lib", "args": [ "--verbose", "-i", "--no-cache", "test/kubectl-provider.test.ts", ], "console": "integratedTerminal", "internalConsoleOptions": "neverOpen", "skipFiles": [ "<node_internals>/**" ], "outFiles": [ "${workspaceFolder}/**/*.(m|c|)js", "!**/node_modules/**" ], } ] } ``` ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Is your feature request related to a problem? Please describe.
Related to the outages in us-east-1, it was identified that boto3/botocore is using the global sts endpoint (
AWS_STS_REGIONAL_ENDPOINTS=legacy
) by default. This affected code running in other regions, causing them to fail to use IRSA in EKS toAssumeRoleWithWebIdentity
.Describe the solution you'd like
AWS CLI v2 already changed the default to "regional" [1]. boto should follow suit and do the same as it's clearly a better default.
botocore/botocore/configprovider.py
Lines 107 to 110 in e0e8e1c
[1] https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html#cli-config-sts_regional_endpoints
The text was updated successfully, but these errors were encountered: