Allow configuring token version for global STS endpoint

[mikn]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

With the introduction of ap-east-1 and me-south-1, they are the first regions to only accept V2 STS tokens. However, to allow for backwards compatibility the global STS endpoint (https://sts.amazonaws.com) issues V1 tokens per default. This means that you cannot use a token from the global STS endpoint to authenticate against regional endpoints for these two new regions (and any following regions).

It would be helpful to be able to use terraform to configure this setting. Here's the API documentation for the call: https://docs.aws.amazon.com/IAM/latest/APIReference/API_SetSecurityTokenServicePreferences.html

New or Affected Resource(s)

• aws_organizations_account (?)

I'm not sure under which resource this configuration flag should be put, as it is an AWS account setting under IAM, but it isn't bound to any specific IAM resource. I'm open to suggestions!

Potential Terraform Configuration

resource "aws_organizations_account" "this" {
  global_sts_token_version = "v2"
}

References

• https://aws.amazon.com/blogs/aws/now-open-aws-middle-east-bahrain/
• https://aws.amazon.com/blogs/aws/now-open-aws-asia-pacific-hong-kong-region/
• https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html
• https://docs.aws.amazon.com/IAM/latest/APIReference/API_SetSecurityTokenServicePreferences.html
• Assume role in ap-east-1 Hong Kong #9402
• Unable to use Hong Kong (ap-east-1) region, even though it is enabled in my account #9234

[ewbankkit]

@mikn Could you try setting AWS_STS_REGIONAL_ENDPOINTS=regional in your environment (if possible)?
Plus use v2.34.0 of the AWS provider.
Thanks.

[ewbankkit]

Related (in AWS SDK v1.25.18):

• aws/endpoints: STS regional flag Implementation aws/aws-sdk-go#2779

[mikn]

For me, either changing this setting on the AWS account, or setting AWS_STS_REGIONAL_ENDPOINTS=regional both work. It is more convenient for us to not require an environment variable for every terraform user, so being able to configure this setting would still be helpful (or if you change the default setting in the AWS provider, that could also work for us).

[ewbankkit]

@mikn Agreed. We could add a new argument (like sts_regional_endpoints) to the provider configuration.

[mikn]

@ewbankkit I'm sorry, I don't think I answered the question you actually were asking. I think this still belongs in a resource, as a provider configuration flag only would cover the Terraform use-case but not other AWS API clients. Most implementations (and even the official AWS libraries) work under the assumption that a token from the global STS endpoint is valid for all regions (an assumption that they now broke unless you flip this flag).

By exposing the configuration of token version on the global STS service through a resource, you can provision accounts through Terraform with this setting on, making this assumption true again, and it would mitigate most "wtf" moments across most clients (unless they assume a fixed token size).

In other words, we would most likely need to change this configuration setting no matter whether Terraform works or not.

[bflad]

My recommendation here would be to split off the new provider configuration into its own feature request, while treating this feature request as implementing a new resource such as:

resource "aws_iam_security_token_service_preferences" "example" {
  global_endpoint_token_version = "v2Token"
}

That uses the following APIs:

• Create/Update(/Delete either to reset preferences to defaults or instead no-op): https://docs.aws.amazon.com/IAM/latest/APIReference/API_SetSecurityTokenServicePreferences.html
• Read: https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetAccountSummary.html

[ghost]

I'm going to close this issue due to inactivity (90 days without response ⏳ ). This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!