The AssumeRoleProvider created as part of loading credentials from a profile does not appear to respect the endpoint URL overrides, and continues to talk to sts.amazonaws.com
Expected Behavior
It should talk to the configured endpoint URL
Current Behavior
It talks to the default STS endpoint
Reproduction Steps
Create a file at /tmp/aws-config with the following content
[profile default]
aws_access_key_id = test
aws_secret_access_key = test
[profile messaging]
role_arn = arn:aws:iam::000000000000:role/messaging
role_session_name = messaging
source_profile = default
Then create a new Rust project with
Cargo.toml
[package]
name = "temp"
version = "0.1.0"
edition = "2021"
[dependencies]
aws-config = "1.5.6"
aws-credential-types = "1.2"
tokio = { version = "1.0", features = ["full"] }
src/main.rs
use aws_credential_types::provider::ProvideCredentials;
#[tokio::main]
async fn main() {
let aws_config = aws_config::defaults(aws_config::BehaviorVersion::latest()).load().await;
aws_config.credentials_provider().unwrap().provide_credentials().await.unwrap();
}
Run it with
export AWS_ENDPOINT_URL=http://127.0.0.1:4566
export AWS_CONFIG_FILE=/tmp/aws-config
export AWS_PROFILE=messaging
cargo run
Get the following error
called `Result::unwrap()` on an `Err` value: ProviderError(ProviderError { source: ProviderError(ProviderError { source: ServiceError(ServiceError { source: Unhandled(Unhandled { source: ErrorMetadata { code: Some("InvalidClientTokenId"), message: Some("The security token included in the request is invalid."), extras: Some({"aws_request_id": "64665aaf-2926-429c-999d-6f22f439d5e3"}) }, meta: ErrorMetadata { code: Some("InvalidClientTokenId"), message: Some("The security token included in the request is invalid."), extras: Some({"aws_request_id": "64665aaf-2926-429c-999d-6f22f439d5e3"}) } }), raw: Response { status: StatusCode(403), headers: Headers { headers: {"x-amzn-requestid": HeaderValue { _private: H0("64665aaf-2926-429c-999d-6f22f439d5e3") }, "content-type": HeaderValue { _private: H0("text/xml") }, "content-length": HeaderValue { _private: H0("306") }, "date": HeaderValue { _private: H0("Thu, 19 Sep 2024 16:19:07 GMT") }} }, body: SdkBody { inner: Once(Some(b"<ErrorResponse xmlns=\"https://sts.amazonaws.com/doc/2011-06-15/\">\n <Error>\n <Type>Sender</Type>\n <Code>InvalidClientTokenId</Code>\n <Message>The security token included in the request is invalid.</Message>\n </Error>\n <RequestId>64665aaf-2926-429c-999d-6f22f439d5e3</RequestId>\n</ErrorResponse>\n")), retryable: true }, extensions: Extensions { extensions_02x: Extensions, extensions_1x: Extensions } } }) }) })
Crucially this does not require localstack to be running, as it completely ignores the configured endpoint URL
Describe the bug
The AssumeRoleProvider created as part of loading credentials from a profile does not appear to respect the endpoint URL overrides, and continues to talk to sts.amazonaws.com
Expected Behavior
It should talk to the configured endpoint URL
Current Behavior
It talks to the default STS endpoint
Reproduction Steps
Create a file at
/tmp/aws-config
with the following contentThen create a new Rust project with
Cargo.toml
src/main.rs
Run it with
Get the following error
Crucially this does not require localstack to be running, as it completely ignores the configured endpoint URL
Possible Solution
No response
Additional Information/Context
https://github.com/awslabs/aws-sdk-rust/issues/921 is related, but it would appear https://github.com/smithy-lang/smithy-rs/pull/3014 was only a partial fix
Version
Environment details (OS name and version, etc.)
x86_64 GNU/Linux
Logs
No response