diff --git a/modules/repository-s3/src/main/java/org/elasticsearch/repositories/s3/S3Service.java b/modules/repository-s3/src/main/java/org/elasticsearch/repositories/s3/S3Service.java index 0d9179b662be9..ae74c5d49a749 100644 --- a/modules/repository-s3/src/main/java/org/elasticsearch/repositories/s3/S3Service.java +++ b/modules/repository-s3/src/main/java/org/elasticsearch/repositories/s3/S3Service.java @@ -321,7 +321,7 @@ static class CustomWebIdentityTokenCredentialsProvider implements AWSCredentials private STSAssumeRoleWithWebIdentitySessionCredentialsProvider credentialsProvider; private AWSSecurityTokenService stsClient; - private boolean stsRegionConfigured = false; + private String stsRegion; CustomWebIdentityTokenCredentialsProvider( Environment environment, @@ -363,18 +363,14 @@ static class CustomWebIdentityTokenCredentialsProvider implements AWSCredentials ); AWSSecurityTokenServiceClientBuilder stsClientBuilder = AWSSecurityTokenServiceClient.builder(); - // Support regionalized STS endpoints https://docs.aws.amazon.com/sdkref/latest/guide/feature-sts-regionalized-endpoints.html - if ("regional".equalsIgnoreCase(systemEnvironment.getEnv("AWS_STS_REGIONAL_ENDPOINTS"))) { - // AWS_REGION should be injected by the EKS pod identity webhook https://github.com/aws/amazon-eks-pod-identity-webhook/pull/41 - String region = systemEnvironment.getEnv(SDKGlobalConfiguration.AWS_REGION_ENV_VAR); - if (region != null) { - stsClientBuilder.withRegion(region); - stsRegionConfigured = true; - } else { - LOGGER.warn("Unable to lookup region for the AWS STS endpoint, because the AWS_REGION environment variable is not set"); - } - } - if (stsRegionConfigured == false) { + // AWS_REGION should be injected by the EKS pod identity webhook: + // https://github.com/aws/amazon-eks-pod-identity-webhook/pull/41 + stsRegion = systemEnvironment.getEnv(SDKGlobalConfiguration.AWS_REGION_ENV_VAR); + // Check if we need to use regional STS endpoints + // https://docs.aws.amazon.com/sdkref/latest/guide/feature-sts-regionalized-endpoints.html + if ("regional".equalsIgnoreCase(systemEnvironment.getEnv("AWS_STS_REGIONAL_ENDPOINTS")) && stsRegion != null) { + stsClientBuilder.withRegion(stsRegion); + } else { // Custom system property used for specifying a mocked version of the STS for testing String customStsEndpoint = jvmEnvironment.getProperty("com.amazonaws.sdk.stsMetadataServiceEndpointOverride", STS_HOSTNAME); // Set the region explicitly via the endpoint URL, so the AWS SDK doesn't make any guesses internally. @@ -398,8 +394,8 @@ boolean isActive() { return credentialsProvider != null; } - public boolean isStsRegionConfigured() { - return stsRegionConfigured; + String getStsRegion() { + return stsRegion; } @Override diff --git a/modules/repository-s3/src/test/java/org/elasticsearch/repositories/s3/CustomWebIdentityTokenCredentialsProviderTests.java b/modules/repository-s3/src/test/java/org/elasticsearch/repositories/s3/CustomWebIdentityTokenCredentialsProviderTests.java index 90e9fabfecb7a..f245b1ad91fe4 100644 --- a/modules/repository-s3/src/test/java/org/elasticsearch/repositories/s3/CustomWebIdentityTokenCredentialsProviderTests.java +++ b/modules/repository-s3/src/test/java/org/elasticsearch/repositories/s3/CustomWebIdentityTokenCredentialsProviderTests.java @@ -155,7 +155,7 @@ public void testSupportRegionalizedEndpoints() throws Exception { // endpoint in a unit test. The client depends on hardcoded RegionalEndpointsOptionResolver that in turn depends // on the system environment that we can't change in the test. So we just verify we that we called `withRegion` // on stsClientBuilder which should internally correctly configure the endpoint when the STS client is built. - assertTrue(webIdentityTokenCredentialsProvider.isStsRegionConfigured()); + assertEquals("us-west-2", webIdentityTokenCredentialsProvider.getStsRegion()); webIdentityTokenCredentialsProvider.shutdown(); }