In some cases, the Vault instance which is making the proxy call to AWS, is configured to use the global STS endpoint (onus-east-1), which is the default behavior. But when your application is deployed in another region, the authentication will fail as spring-vault use the region from your application and the request to AWS are signed with that region.
As a consequence, you end up with an application deployed in one region and a Vault instance using the global STS endpoint, without no easy way to use the spring-vault client to login.
I propose to enable the region configuration in the ClientAuthenticationFactory and will be glad to help with a PR.
PS:
The problem was initially discussed in this issue from spring-vault.
In some cases, the Vault instance which is making the proxy call to AWS, is configured to use the global STS endpoint (on
us-east-1), which is the default behavior. But when your application is deployed in another region, the authentication will fail asspring-vaultuse the region from your application and the request to AWS are signed with that region.As a consequence, you end up with an application deployed in one region and a Vault instance using the global STS endpoint, without no easy way to use the
spring-vaultclient to login.I propose to enable the region configuration in the ClientAuthenticationFactory and will be glad to help with a PR.
PS: The problem was initially discussed in this issue from
spring-vault.