AWS Secrets Engine - Root IAM credentials can't be rotated with the region parameter set and AWS credentials can't be generated without the region parameter set

Is your feature request related to a problem? Please describe.

We have found the need to add the sts_region parameter to the AWS secret engine just as it is already available in the AWS auth method. Currently only these parameters exist: https://developer.hashicorp.com/vault/api-docs/secret/aws#parameters

The reason is that for sts_endpoint we use proxies, let's say:

sts_endpoint = "sts.proxy.com"

And since we use these proxies, we cannot specify the AWS region in the sts_endpoint as sts.${aws_region}.amazonaws.com but, we can use the region parameter, say:

region = "eu-west-1"

Now here we run into the problem, if we specify the region parameter then we will not be able to rotate the root IAM credentials. If we do not specify the region parameter we will be able to rotate the root IAM credentials but the generation of credentials and roles (assumed_role, federation_token or iam_user) will fail because no region is found

We are not sure if this is intentional or a bug, but we believe that having the sts_region parameter may fix our problem.

Describe the solution you'd like

We would like to be able to use the sts_region parameter in the AWS Vault secrets engine.

Additional context

The error message for when we try to rotate credentials with the region set or generate AWS credentials without the region parameter set is the same:

{
  "errors": [
    "1 error occurred:
        * error calling GetUser: SignatureDoesNotMatch: Credential should be scoped to a valid region.
        status code: 403, 
        request id: 97c6347f-xxx-xxxx-xxxx-xxxxx1900d"
  ]
}

We think that our problem is similar to the one described here (https://github.com/hashicorp/vault/issues/7397) on the AWS auth method. Same errors and issues, which were solved by setting the sts_region parameter.

hashicorp / vault