Add support for STS Regional Endpoint (#118) #119
Conversation
| EndpointConfiguration endpointConfiguration = | ||
| new EndpointConfiguration( | ||
| String.format("sts.%s.amazonaws.com", stsRegion), | ||
| stsRegion); |
There was a problem hiding this comment.
Thanks for the PR.
When you follow https://docs.aws.amazon.com/sdkref/latest/guide/feature-sts-regionalized-endpoints.html
and set
[default]
sts_regional_endpoints = regional
doesn't it pick it up by itself?
There was a problem hiding this comment.
I'm running my job on KDA and I can't do such a setup on this service.
| AWSSecurityTokenService stsClient = AWSSecurityTokenServiceClientBuilder.standard() | ||
| .withRegion(stsRegion) | ||
| .withEndpointConfiguration(endpointConfiguration) |
There was a problem hiding this comment.
Do we need to set the endpoint configuration? if the stsRegion is set to aws-global it should be using sts.amazonaws.com anyway.
regional – The SDK or tool always uses the AWS STS endpoint for the currently configured Region. For example, if the client is configured to use us-west-2, all calls to AWS STS are made to the Regional endpoint sts.us-west-2.amazonaws.com, instead of the global sts.amazonaws.com endpoint. To send a request to the global endpoint while this setting is enabled, you can set the Region to aws-global.
https://docs.aws.amazon.com/sdkref/latest/guide/feature-sts-regionalized-endpoints.html
Have you tested this out? In KDA you should be able to define an environment variable and override the REGION config.
My concern with manually setting endpointconfiguration is the following endpoint might not be valid for all aws regions and partitions in the future.
EndpointConfiguration(
String.format("sts.%s.amazonaws.com", stsRegion),
stsRegion);
There was a problem hiding this comment.
I published a new commit to use region.getServiceEndpoint API instead of a string.
There was a problem hiding this comment.
Could you also try setting region as aws-global in KDA?
There was a problem hiding this comment.
aws-global is not reachable for customer who are running KDA or MSK Connect in a private subnet. They have to use a regional endpoint for STS.
src/main/java/software/amazon/msk/auth/iam/internals/MSKCredentialProvider.java
Show resolved
Hide resolved
Issue #, if available:
This PR fixed the issue #118
Users who are using the library in a VPC with no Internet connection are not able to use the Assume role feature as STS Regional End point doesn't work.
Description of changes:
This PR add an STS Endpoint configuration in the Credential Provider to enable the usage of region STS Endpoint.
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.