From dbff485a1f755dfd32de23d3fe8919eb76bf1288 Mon Sep 17 00:00:00 2001 From: Joel Thompson Date: Wed, 20 Feb 2019 22:57:39 -0500 Subject: [PATCH] Coax AWS SDK to use right region for STS --- builtin/credential/aws/cli.go | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/builtin/credential/aws/cli.go b/builtin/credential/aws/cli.go index 3cf764858..1d7779280 100644 --- a/builtin/credential/aws/cli.go +++ b/builtin/credential/aws/cli.go @@ -9,6 +9,7 @@ import ( "github.com/aws/aws-sdk-go/aws" "github.com/aws/aws-sdk-go/aws/credentials" + "github.com/aws/aws-sdk-go/aws/endpoints" "github.com/aws/aws-sdk-go/aws/session" "github.com/aws/aws-sdk-go/service/sts" "github.com/hashicorp/errwrap" @@ -18,6 +19,19 @@ import ( type CLIHandler struct{} +// STS is a really weird service that used to only have global endpoints but now has regional endpoints as well. +// For backwards compatibility, even if you request a region other than us-east-1, it'll still sign for us-east-1. +// See, e.g., https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html#id_credentials_temp_enable-regions_writing_code +// So we have to shim in this EndpointResolver to force it to sign for the right region +func stsSigningResolver(service, region string, optFns ...func(*endpoints.Options)) (endpoints.ResolvedEndpoint, error) { + defaultEndpoint, err := endpoints.DefaultResolver().EndpointFor(service, region, optFns...) + if err != nil { + return defaultEndpoint, err + } + defaultEndpoint.SigningRegion = region + return defaultEndpoint, nil +} + // Generates the necessary data to send to the Vault server for generating a token // This is useful for other API clients to use func GenerateLoginData(creds *credentials.Credentials, headerValue, region string) (map[string]interface{}, error) { @@ -27,6 +41,7 @@ func GenerateLoginData(creds *credentials.Credentials, headerValue, region strin cfg := aws.Config{Credentials: creds} if region != "" { cfg.Region = ®ion + cfg.EndpointResolver = endpoints.ResolverFunc(stsSigningResolver) } stsSession, err := session.NewSessionWithOptions(session.Options{ Config: cfg,