search

aws / aws-tools-for-powershell

The AWS Tools for PowerShell lets developers and administrators manage their AWS services from the PowerShell scripting environment.
Apache License 2.0
235 stars 78 forks source link

With "-STSEndpointRegion cn-north-1", Set-AWSSAMLRoleProfile still sends request to global STS endpoint. #160

Closed WilliamWeiWei closed 3 years ago

WilliamWeiWei commented 4 years ago

According to the changelog of 3.3.46.0, the Set-AWSSAMLRoleProfile cmdlet has been extended with a new parameter, -STSEndpointRegion.

But even if we set this parameter as said in the change log, the AssumeRoleWithSAMLRequest was still sent to the global sts.amazonaws.com endpoint, not the regional endpoint, thus failing to obtain credentials.

In other words, setting this parameter or not doesn't change anything. Tested with version 3.3.283.0, 3.3.428 and 4.0.5.0.

Changelog of 3.3.46.0: https://github.com/aws/aws-tools-for-powershell/blob/master/CHANGELOG.md#33460-2017-02-07

Expected Behavior Setting -STSEndpointRegion cn-north-1, Set-AWSSAMLRoleProfile will send AssumeRoleWithSAMLRequest to the regional endpoint "https://sts.cn-north-1.amazonaws.com.cn" and successfully obtain the credentials.

Current Behavior Setting -STSEndpointRegion cn-north-1, Set-AWSSAMLRoleProfile will send AssumeRoleWithSAMLRequest to the global sts.amazonaws.com endpoint, not the regional endpoint, thus failing to obtain credentials.

Possible Solution

Steps to Reproduce (for bugs)

Clear-AWSCredentials
$endpoint = "https://adfs-link?loginToRp=urn:amazon:webservices:cn-north-1"
$epName = Set-AWSSamlEndpoint -Endpoint $endpoint -StoreAs ADFS -AuthenticationType NTLM
$profs = Set-AWSSamlRoleProfile -StoreAllRoles -EndpointName $epName -STSEndpointRegion cn-north-1
Set-AWSCredentials -ProfileName $profs
Set-DefaultAWSRegion "cn-north-1"
Get-S3Bucket

Enabled response logs and could see it is sending request to global sts endpoint.

Amazon Error: 2 : AmazonSecurityTokenServiceException making request AssumeRoleWithSAMLRequest to https://sts.amazonaws.com/.

Context

This bug makes it impossible to use SAML profie as credential in China region.

Your Environment

Cmdlet: Set-AWSSAMLRoleProfile Tested with 3.3.283.0, 3.3.428 and 4.0.5.0

ganeshnj commented 3 years ago

@WilliamWeiWei can you try setting AWS_STS_REGIONAL_ENDPOINTS environment variable to regional.

$env:AWS_STS_REGIONAL_ENDPOINTS = 'regional'

You can read mode about the environment variable here.

github-actions[bot] commented 3 years ago

This issue has not recieved a response in 2 weeks. If you want to keep this issue open, please just leave a comment below and auto-close will be canceled.