search

aliyun / alibaba-cloud-sdk-go

Alibaba Cloud SDK for Go
Apache License 2.0
1.16k stars 271 forks source link

[STS Service] The endpoints per region are not correct #453

Closed wi1dcard closed 4 years ago

wi1dcard commented 4 years ago

While I was using the Terraform alicloud provider and run terraform plan on servers located in the US, it seems quite easy to reach the timeout of invoking STS APIs.

Error: [SDK.TimeoutError] The request timed out 4 times(4 for retry), perhaps we should have the threshold raised a little? Connect timeout. Please set a valid ConnectTimeout.
caused by:
Post "https://sts.aliyuncs.com/?AccessKeyId=[MASKED]&Action=AssumeRole&DurationSeconds=3600&Format=JSON&RegionId=cn-beijing&RoleArn=...&Version=2015-04-01": dial tcp 106.11.61.111:443: i/o timeout

I understand that might be an issue of the internet specifically in China. Therefore, I tried to change the default region to cn-hongkong which should also change the endpoint of STS to sts.cn-hongkong.aliyuncs.com, but the error message showed that it was still calling sts.aliyuncs.com.

Looking into the terraform provider, the endpoints per region seem defined here in this SDK and several regions are using the same endpoint instead of specific ones: https://github.com/aliyun/alibaba-cloud-sdk-go/blob/e4e1cdd659a3e0f4bec8b027fb601e22a196d55b/services/sts/endpoint.go#L12-L46

So my question is: is this something that is intentional? Or it's just a mistake that should have been fixed?

See STS API Endpoints.

wenzuochao commented 4 years ago

Do you use the latest Terraform? And which api did you use?

wi1dcard commented 4 years ago

Do you use the latest Terraform? And which api did you use?

Hi @wenzuochao ! Yes, I'm using the latest version of Terraform (Docker image hashicorp/terraform:light with digest hashicorp/terraform@sha256:691e2f368183a1886b50fd7da16b4511f5ac914ff6b7c748a87a37e84b898c50).

I'm trying to use the AssumeRole API, this is my terraform configuration:

provider "alicloud" {
  region     = "cn-hongkong"
  access_key = var.alicloud_access_key
  secret_key = var.alicloud_secret_key
  assume_role {
    role_arn = "..."
  }
}

# Omitted ...

Here is the output with the region is cn-hongkong:

Error: [SDK.TimeoutError] The request timed out 4 times(4 for retry), perhaps we should have the threshold raised a little? Connect timeout. Please set a valid ConnectTimeout.
caused by:
Post "https://sts.aliyuncs.com/?AccessKeyId=[MASKED]&Action=AssumeRole&...&Version=2015-04-01": dial tcp 106.11.172.8:443: i/o timeout

However, I believe that's an issue with the default endpoints definition in the SDK instead of Terraform or the AssumeRole API. After I manually override the API address, it now works on servers located in the US:

provider "alicloud" {
  region     = "cn-hongkong"
  access_key = var.alicloud_access_key
  secret_key = var.alicloud_secret_key
  assume_role {
    role_arn = "..."
  }
  endpoints {
    sts = "sts.cn-hongkong.aliyuncs.com"
  }
}

Why we didn't set the endpoints as the STS API official documentation described? Thank you!

wenzuochao commented 4 years ago

I got it. I have solved the problem in the latest sdk and the next version of terraform will fix the problem.

wi1dcard commented 4 years ago

I got it. I have solved the problem in the latest sdk and the next version of terraform will fix the problem.

Thank you so much for the prompt response! I'll check it out once it gets released.