Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

change the default to use regional endpoints for sts #2577

Closed
mmerickel opened this issue Dec 12, 2021 · 4 comments
Closed

change the default to use regional endpoints for sts #2577

mmerickel opened this issue Dec 12, 2021 · 4 comments
Assignees
Labels
feature-request This issue requests a feature.

Comments

@mmerickel
Copy link

Is your feature request related to a problem? Please describe.

Related to the outages in us-east-1, it was identified that boto3/botocore is using the global sts endpoint (AWS_STS_REGIONAL_ENDPOINTS=legacy) by default. This affected code running in other regions, causing them to fail to use IRSA in EKS to AssumeRoleWithWebIdentity.

Describe the solution you'd like

AWS CLI v2 already changed the default to "regional" [1]. boto should follow suit and do the same as it's clearly a better default.

'sts_regional_endpoints': (
'sts_regional_endpoints', 'AWS_STS_REGIONAL_ENDPOINTS', 'legacy',
None
),

[1] https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html#cli-config-sts_regional_endpoints

@mmerickel mmerickel added feature-request This issue requests a feature. needs-triage This issue or PR still needs to be triaged. labels Dec 12, 2021
@tim-finnigan tim-finnigan self-assigned this Dec 13, 2021
@tim-finnigan tim-finnigan added investigating This issue is being investigated and/or work is in progress to resolve the issue. and removed needs-triage This issue or PR still needs to be triaged. labels Dec 13, 2021
@tim-finnigan
Copy link
Contributor

Hi @mmerickel, thanks for reaching out. You make a good point and using regional endpoints is also recommended here for STS:

AWS recommends using Regional AWS STS endpoints instead of the global endpoint to reduce latency, build in redundancy, and increase session token validity.

However, it would be a breaking change for users who expect and rely on the current behavior. But this is something that can be addressed in the next major version of boto3, similar to how it was introduced in CLI v2 as noted here.

In the meantime you can specify the regional endpoint in boto3 as described here in this comment.

@tim-finnigan tim-finnigan removed the investigating This issue is being investigated and/or work is in progress to resolve the issue. label Dec 13, 2021
@github-actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

@mmerickel
Copy link
Author

Why close this issue? Is there another place where the boto roadmap is tracked? The ticket was labeled a feature request and it sounds like it is acknowledged to be a good request…

@tim-finnigan
Copy link
Contributor

@mmerickel The reason for closing this is because we generally keep feature requests open to track community demand and discuss use cases. In this case I think you have a valid ask, but due to the breaking change issue mentioned earlier it would have to wait until the next major version. And we can’t guarantee timelines for version updates but it may not be for a while. But the team is aware of this request and can plan for consistency with the CLI v2 here in the future.

mergify bot pushed a commit to aws/aws-cdk that referenced this issue Jun 19, 2024
…ction (#30580)

### Issue # (if applicable)

Per boto/botocore#2577 (comment) setting this to `regional` is still required and recommended for boto3.

Closes #30496


### Reason for this change



### Description of changes



### Description of how you validated changes

Added a new unit test and verified with debugger.

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

### Debugger

```json
{
  "version": "0.2.0",
  "configurations": [
    {
      "type": "node",
      "request": "launch",
      "name": "Jest",
      "program": "${workspaceFolder}/node_modules/jest/bin/jest.js",
      "cwd": "${workspaceFolder}/packages/aws-cdk-lib",
      "args": [
        "--verbose",
        "-i",
        "--no-cache",
        "test/kubectl-provider.test.ts",
      ],
      "console": "integratedTerminal",
      "internalConsoleOptions": "neverOpen",
      "skipFiles": [
        "<node_internals>/**"
      ],
      "outFiles": [
        "${workspaceFolder}/**/*.(m|c|)js",
        "!**/node_modules/**"
      ],
    }
  ]
}
```
----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
sarangarav pushed a commit to sarangarav/aws-cdk that referenced this issue Jun 21, 2024
…ction (aws#30580)

### Issue # (if applicable)

Per boto/botocore#2577 (comment) setting this to `regional` is still required and recommended for boto3.

Closes aws#30496


### Reason for this change



### Description of changes



### Description of how you validated changes

Added a new unit test and verified with debugger.

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

### Debugger

```json
{
  "version": "0.2.0",
  "configurations": [
    {
      "type": "node",
      "request": "launch",
      "name": "Jest",
      "program": "${workspaceFolder}/node_modules/jest/bin/jest.js",
      "cwd": "${workspaceFolder}/packages/aws-cdk-lib",
      "args": [
        "--verbose",
        "-i",
        "--no-cache",
        "test/kubectl-provider.test.ts",
      ],
      "console": "integratedTerminal",
      "internalConsoleOptions": "neverOpen",
      "skipFiles": [
        "<node_internals>/**"
      ],
      "outFiles": [
        "${workspaceFolder}/**/*.(m|c|)js",
        "!**/node_modules/**"
      ],
    }
  ]
}
```
----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
mazyu36 pushed a commit to mazyu36/aws-cdk that referenced this issue Jun 22, 2024
…ction (aws#30580)

### Issue # (if applicable)

Per boto/botocore#2577 (comment) setting this to `regional` is still required and recommended for boto3.

Closes aws#30496


### Reason for this change



### Description of changes



### Description of how you validated changes

Added a new unit test and verified with debugger.

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

### Debugger

```json
{
  "version": "0.2.0",
  "configurations": [
    {
      "type": "node",
      "request": "launch",
      "name": "Jest",
      "program": "${workspaceFolder}/node_modules/jest/bin/jest.js",
      "cwd": "${workspaceFolder}/packages/aws-cdk-lib",
      "args": [
        "--verbose",
        "-i",
        "--no-cache",
        "test/kubectl-provider.test.ts",
      ],
      "console": "integratedTerminal",
      "internalConsoleOptions": "neverOpen",
      "skipFiles": [
        "<node_internals>/**"
      ],
      "outFiles": [
        "${workspaceFolder}/**/*.(m|c|)js",
        "!**/node_modules/**"
      ],
    }
  ]
}
```
----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
feature-request This issue requests a feature.
Projects
None yet
Development

No branches or pull requests

2 participants