search

aws / aws-cli

Universal Command Line Interface for Amazon Web Services
Other
15.46k stars 4.1k forks source link

Assume Role With Web Identity doesn't respect region #8697

Closed liorpsweetsecurity closed 3 months ago

liorpsweetsecurity commented 4 months ago

Describe the bug

Running aws sts assume-role-with-web-identity --role-arn ${ROLE_ARN} --web-identity-token ${ACCESS_TOKEN}--role-session-name${SESSION_NAME} --region us-east-2 seems to send to us-east-1.

Expected Behavior

I expect to see corresponding events in the cloudtrail associated with us-east-2.

Current Behavior

I see AssumeRoleWithWebIdentity events under us-east-1 cloud trail.

Reproduction Steps

Run aws sts assume-role-with-web-identity --role-arn ${ROLE_ARN} --web-identity-token ${ACCESS_TOKEN}--role-session-name${SESSION_NAME} --region us-east-2. Check cloudtrail logs. It seems to be in us-east-1, regardless of the region parameter.

Possible Solution

No response

Additional Information/Context

No response

CLI version used

aws-cli/1.18.69 Python/3.8.10 Linux/5.15.0-1064-azure botocore/1.16.19

Environment details (OS name and version, etc.)

NAME="Ubuntu" VERSION="20.04.6 LTS (Focal Fossa)" ID=ubuntu ID_LIKE=debian PRETTY_NAME="Ubuntu 20.04.6 LTS" VERSION_ID="20.04" HOME_URL="https://www.ubuntu.com/" SUPPORT_URL="https://help.ubuntu.com/" BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/" PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy" VERSION_CODENAME=focal UBUNTU_CODENAME=focal

arianvp commented 4 months ago

I think this is expected behaviour. IAM will always reach out to the global sts.amazonaws.com (which is in us-east-1). The region parameter is for API operations after IAM auth has completed.

Instead you have to specify the endpoint URL I think? There's a similar issue with some more context / solutions here: https://github.com/aws/aws-cli/issues/4370

arianvp commented 4 months ago

apparently 

export AWS_STS_REGIONAL_ENDPOINTS=regional

is what you need according to that issue.

tim-finnigan commented 3 months ago

Thanks for reaching out. What @arianvp mentioned above is correct, and here is the documentation for that environment variable: https://docs.aws.amazon.com/sdkref/latest/guide/feature-sts-regionalized-endpoints.html

Noted in the documentation is the following:

All new SDK major versions releasing after July 2022 will default to regional. New SDK major versions might remove this setting and use regional behavior. To reduce future impact regarding this change, we recommend you start using regional in your application when possible.

I'll also note that 1.18.69 is an extremely old version. The latest v1 version is 1.33.1. Also we highly recommend migrating to v2 if possible.

Converting this to a Q&A discussion as it is the expected behavior and not a bug.