Use STS regional endpoints for STS calls from resource providers #22022
Comments
willyg302
added
feature-request
github-actions
bot
added
the
@aws-cdk/custom-resources
|
Thanks for the request @willyg302!
I'm also unclear on this myself, maybe someone else on the team would know. @TheRealAmazonKendra this may be interesting to you Though, I don't see why we wouldn't at the least be able to include an option for this that isn't enabled by default |
peterwoodworth
added
p1
effort/small
|
@peterwoodworth I believe the absence of this optional also prevents the custom resource from being used in private subnets that rely on an AWS Interface Endpoint for STS access, since the The EKS cluster resource provider has regional STS endpoints enabled by default via the AWS_STS_REGIONAL_ENDPOINTS environment variable: link. A simple solution to enable STS regional endpoints without touching the existing handler code would be to make the function environment configurable via a new AwsCustomResourceProps option: |
|
I took your fix. Thanks! |
By default, the STS client is using the global STS endpoint, and tokens it returns are not valid in opt-in regions. Fixes #22022.
By default, the STS client is using the global STS endpoint, and tokens it returns are not valid in opt-in regions. Affects EKS, Route53, AwsCustomResource. Fixes #22022. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
|
Describe the feature
Per the STS docs:
Use Case
When attempting to use CrossAccountZoneDelegationRecord, we discovered that the cross-account assume role did not work from an opt-in region, failing with:
In our case, this was due to our use of a global service principal in the delegation role's trust policy, and opt-in accounts are not visible in such a service principal. One possible workaround is to add either regional service principals or opt-in account IDs directly to the trust policy, but this is not desirable as it requires updating the delegation role for each new opt-in region.
Proposed Solution
This can be done by updating the following:
new STS({ stsRegionalEndpoints: 'regional' })new AWS.ChainableTemporaryCredentials({ params, stsConfig: { stsRegionalEndpoints: 'regional' } })Other Information
I would submit a PR myself, but am unclear on whether there are any downsides to defaulting to the regional endpoints (i.e. whether these changes can be hardcoded or should be behind a flag). At least in our team's experience, switching to the regional endpoints has caused no issues.
Acknowledgements
CDK version used
v1
Environment details (OS name and version, etc.)
N/A
The text was updated successfully, but these errors were encountered: