kubernetes · jyotimahapatra · Nov 4, 2021 · Nov 4, 2021 · nckturner · Nov 5, 2021
diff --git a/pkg/providers/v1/aws.go b/pkg/providers/v1/aws.go
@@ -23,6 +23,7 @@ import (
  "io"
  "net"
  "net/http"
+ "os"
  "path"
  "regexp"
  "sort"
@@ -287,6 +288,10 @@ const (
 
  // privateDNSNamePrefix is the prefix added to ENI Private DNS Name.
  privateDNSNamePrefix = "ip-"
+
+ // Environment Variable to create sts session with regional endpoint
+ // If unset or false, uses global sts endpoint
+ useRegionalSts = "USE_REGIONAL_STS"
 )
 
 const (
@@ -1208,8 +1213,12 @@ func init() {
  return nil, fmt.Errorf("unable to validate custom endpoint overrides: %v", err)
  }
 
+ awsSessionConfig, err := getSessionConfig(&awsSDKProvider{cfg: cfg})
+ if err != nil {
+ return nil, fmt.Errorf("unable to create aws session: %v", err)
+ }
  sess, err := session.NewSessionWithOptions(session.Options{
- Config: aws.Config{},
+ Config: *awsSessionConfig,
  SharedConfigState: session.SharedConfigEnable,
  })
  if err != nil {
@@ -5319,3 +5328,26 @@ func (c *Cloud) describeNetworkInterfaces(nodeName string) (*ec2.NetworkInterfac
  }
  return eni.NetworkInterfaces[0], nil
 }
+
+func getSessionConfig(awsServices Services) (*aws.Config, error) {
+ metadata, err := awsServices.Metadata()
+ if err != nil {
+ return nil, fmt.Errorf("error creating AWS metadata client: %q", err)
+ }
+ az, err := getAvailabilityZone(metadata)
+ if err != nil {
+ return nil, fmt.Errorf("error creating retrieving AZ from metadata: %q", err)
+ }
+ region, err := azToRegion(az)
+ if err != nil {
+ return nil, fmt.Errorf("error getting region from AZ: %q", err)
+ }
+
+ useRegionalSts, _ := strconv.ParseBool(os.Getenv(useRegionalSts))
+ awsSessionConfig := &aws.Config{}
+ if useRegionalSts {
+ klog.Infof("Using Regional STS")
+ awsSessionConfig = aws.NewConfig().WithRegion(region).WithSTSRegionalEndpoint(endpoints.RegionalSTSEndpoint)
+ }
+ return awsSessionConfig, nil
+}
diff --git a/pkg/providers/v1/aws_test.go b/pkg/providers/v1/aws_test.go
@@ -22,13 +22,15 @@ import (
  "fmt"
  "io"
  "math/rand"
+ "os"
  "reflect"
  "sort"
  "strings"
  "testing"
 
  "github.com/aws/aws-sdk-go/aws"
  "github.com/aws/aws-sdk-go/aws/awserr"
+ "github.com/aws/aws-sdk-go/aws/endpoints"
  "github.com/aws/aws-sdk-go/service/ec2"
  "github.com/aws/aws-sdk-go/service/ec2/ec2iface"
  "github.com/aws/aws-sdk-go/service/elb"
@@ -3844,3 +3846,39 @@ func TestDescribeInstances(t *testing.T) {
  })
  }
 }
+
+func TestRegionalSession(t *testing.T) {
+ tests := []struct {
+ name string
+ useRegionalSts string
+ expectRegion string
+ expectEndpoint endpoints.STSRegionalEndpoint
+ }{
+ {
+ name: "sts regional endpoint is set",
+ useRegionalSts: "true",
+ expectRegion: "us-east-1",
+ expectEndpoint: endpoints.RegionalSTSEndpoint,
+ },
+ {
+ name: "sts regional endpoint is unset",
+ useRegionalSts: "",
+ expectRegion: "",
+ expectEndpoint: endpoints.UnsetSTSEndpoint,
+ },
+ }
+ for _, test := range tests {
+ t.Run(test.name, func(t *testing.T) {
+ os.Setenv(useRegionalSts, test.useRegionalSts)
+ defer os.Setenv(useRegionalSts, "")
+ session, err := getSessionConfig(newMockedFakeAWSServices(TestClusterID))
+ assert.NoError(t, err)
+ gotRegion := ""
+ if session.Region != nil {
+ gotRegion = *session.Region
+ }
+ assert.Equal(t, test.expectRegion, gotRegion)
+ assert.Equal(t, test.expectEndpoint, session.STSRegionalEndpoint)
+ })
+ }
+}