Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Override service region through environment variables #6537

Open
skeggse opened this issue Apr 30, 2024 · 4 comments
Open

Override service region through environment variables #6537

skeggse opened this issue Apr 30, 2024 · 4 comments
Assignees
Labels
feature-request New feature or enhancement. May require GitHub community feedback. p2 This is a standard priority issue

Comments

@skeggse
Copy link

skeggse commented Apr 30, 2024

Some workloads operate in a very restricted network context, and need to communicate with AWS APIs. Sometimes, that includes cross-region access. Consider the following scenario:

  • workload running in us-east-1, and uses AssumeRoleWithWebIdentity
  • workload needs to write an S3 object to a bucket in eu-central-1, and has network access to a PrivateLink endpoint in eu-central-1 over a VPC peering connection
  • workload does not have access to the global STS endpoint nor the eu-central-1 STS endpoint

We can configure one aspect of this behavior to work as desired, namely with AWS_STS_REGIONAL_ENDPOINTS=regional environment variable. This makes us use the regional STS endpoint. However, the default credential provider chain for SDKs still inherits the region from the configured client, meaning that we try to communicate with STS in eu-central-1 if we configure the S3 client to talk to that region.

The Service-specific endpoints feature looked like it would solve this problem: I could force supported SDKs to use only the local endpoint by configuring it through environment variables! This even works for the AssumeRoleWithWebIdentity call itself: since that request isn't signed, it doesn't matter that the STS client is configured to use a different region than the one we're sending the actual assume role request to. However, for STS requests that are signed, and where we're not explicitly passing in an endpoint URL, the signatures end up not matching:

An error occurred (SignatureDoesNotMatch) when calling the GetCallerIdentity operation: Credential should be scoped to a valid region.

So, a request (not sure if feature or bug): provide a way to explicitly override the region used for a specific service, or at least for STS since that's the backbone of practically all other AWS requests. Alternately, if there's an easy way to do this today, I'd love to hear about it (and maybe get it explicitly documented)!

References:

@aBurmeseDev aBurmeseDev self-assigned this May 6, 2024
@tim-finnigan tim-finnigan added the feature-request New feature or enhancement. May require GitHub community feedback. label Jul 3, 2024
@aBurmeseDev
Copy link
Member

Hi @skeggse - apologies for the wait here.

In your scenario, where you need to use the STS service in a different region than the S3 service, you can achieve this by creating separate clients for each service and configuring the appropriate endpoint or region for each client.

Here's an example:

const { S3Client, PutObjectCommand } = require('@aws-sdk/client-s3');
const { STSClient, AssumeRoleWithWebIdentityCommand } = require('@aws-sdk/client-sts');

// Configure the S3 client with the desired region
const s3Client = new S3Client({ region: 'eu-central-1' });

// Configure the STS client with a custom endpoint URL or region
const stsClient = new STSClient({
  region: 'us-east-1', // Or any other region where you have access to the STS endpoint
  endpoint: 'https://sts.us-east-1.amazonaws.com' // Explicitly set the STS endpoint URL
});

// Use the stsClient to assume the role
const assumeRoleCommand = new AssumeRoleWithWebIdentityCommand({
  // Provide the required parameters for AssumeRoleWithWebIdentity
});

stsClient.send(assumeRoleCommand)
  .then((assumeRoleResponse) => {
    // Use the assumed role credentials with the S3 client
    const s3Credentials = assumeRoleResponse.Credentials;
    const s3Client = new S3Client({
      region: 'eu-central-1',
      credentials: {
        accessKeyId: s3Credentials.AccessKeyId,
        secretAccessKey: s3Credentials.SecretAccessKey,
        sessionToken: s3Credentials.SessionToken,
      },
    });

    // Now you can use the s3Client to perform operations in the eu-central-1 region
    const putObjectCommand = new PutObjectCommand({
      Bucket: 'your-bucket-name',
      Key: 'object-key',
      Body: 'Hello, world!',
    });

    return s3Client.send(putObjectCommand);
  })
  .then((putObjectResponse) => {
    console.log('Object uploaded successfully:', putObjectResponse);
  })
  .catch((error) => {
    console.error('Error:', error);
  });

Hope it helps and let us know if there's any follow-up questions!
Best,
John

@aBurmeseDev aBurmeseDev added response-requested Waiting on additional info and feedback. Will move to \"closing-soon\" in 7 days. and removed feature-request New feature or enhancement. May require GitHub community feedback. labels Sep 30, 2024
@skeggse
Copy link
Author

skeggse commented Sep 30, 2024

Aha, thanks for pointing out the unclear component in my question!

The strategy you've outlined works fine if:

  • you only need to make a single request once
  • you have the engineering capacity to modify all the applications that need to communicate in this way

Neither of these are true for us.

  • We need to use a provider chain rather than one-off assume-role commands, because our applications run for longer than an hour.
  • We need to configure this via config or environment variables, because otherwise it's cost-prohibitive to implement/resolve.

This is a blocker to certain VPC security controls for multi-region applications.

@github-actions github-actions bot removed the response-requested Waiting on additional info and feedback. Will move to \"closing-soon\" in 7 days. label Sep 30, 2024
@aBurmeseDev aBurmeseDev transferred this issue from aws/aws-sdk Sep 30, 2024
@aBurmeseDev aBurmeseDev added p2 This is a standard priority issue feature-request New feature or enhancement. May require GitHub community feedback. labels Oct 14, 2024
@skeggse
Copy link
Author

skeggse commented Oct 28, 2024

@aBurmeseDev how come we moved this to aws-sdk-js-v3? This request isn't specific to the JS SDK, and the JS SDK is pretty low on my list of SDKs where I'd want this functionality.

@skeggse
Copy link
Author

skeggse commented Dec 4, 2024

@aBurmeseDev can we move this back to aws/aws-sdk?

edit: well, I guess it's archived now for some reason? Maybe we can move this to boto3 then.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
feature-request New feature or enhancement. May require GitHub community feedback. p2 This is a standard priority issue
Projects
None yet
Development

No branches or pull requests

3 participants