tilfin
commented
2 years ago Findings
- The only endpoints that can send 'switch role' requests are us-east-1 and the current region.
- Hosts in geographically closer regions respond faster.
- If you are geographically closer to us-east-1 than to the region you are operating in, you should continue to use signin.aws.amazon.com.
During the outage on 12/7/2021, we (and I imagine most folks) had issues switching roles even though most of our resources are not in us-east-1, apparently because the switch role behavior (by default and with this plugin) uses the global endpoint (aka us-east-1).
By default the Console uses https://signin.aws.amazon.com/switchrole when you manually switch roles. If you put a region in front of that (like https://us-east-2.signin.aws.amazon.com/switchrole), I think it would've worked during the outage.
An optional configuration item somewhere (per profile or global?) allowing you to specify the STS region would be wonderful. Not only to workaround the rare outage like the other day, but provide the option to keep this traffic more geographically efficient.