Support for AWS_ENDPOINT_URL_STS

[pawalt]

Describe the feature

We'd like to provide AWS_ENDPOINT_URL_STS in order to point aws-c-auth at a local STS provider. Currently, this library only supports sts.amazonaws.com.

Use Case

We'd like to use mountpoint-s3 for to mount buckets using OIDC authentication. This works fine against production AWS, but we want to use a MinIO server in development so we can write automated tests. For this, we need a custom STS URL so mountpoint-s3 can dial into MinIO instead of AWS.

Proposed Solution

Allow the default STS URL to be set:

aws-c-auth/source/credentials_provider_sts.c

Line 866 in b965ffe

impl->endpoint = aws_string_new_from_c_str(allocator, "sts.amazonaws.com");

Other Information

Crosslinking awslabs/mountpoint-s3#1203

Acknowledgements

• I may be able to implement this feature request
• This feature might incur a breaking change

[waahm7]

Hi, thank you for creating the issue. We are discussing the feasibility of this request. Could you please provide a bit more detail about why this is needed and not use something like static/process credentials provider?

Unfortunately I am trying to test whether the Assume role provider works with mount-s3, so using the process credentials provider will defeat my purpose.

Default credentials provider is an implementation detail, and this sounds like trying to test the internal functionality of a dependency. What's the need for testing assumeRole? We have many unit tests that assert the implementation of assumeRole is working correctly.

[pawalt]

@waahm7 We're specifically trying to test our code that automatically sets up mount-s3 and configures OIDC on it. We want to test the integration of our OIDC provider with mount-s3. To do this in our dev environment, we use MinIO. This means we can't have mount-s3 hit sts.amazonaws.com, and we need to point it at local MinIO. So we don't mean to test the internal functionality; we just want to test that our system round-trips properly.

[waahm7]

@pawalt Sorry, I still don’t understand why something like credential_process = aws sts assume-role-with-web-identity .... won’t work. It will just use the CLI STSWebIdentity provider instead of the aws-c-auth one and mountpoint won't hit sts.amazonaws.com

[github-actions]

Greetings! It looks like this issue hasn’t been active in longer than a week. We encourage you to check if this is still an issue in the latest release. Because it has been longer than a week since the last update on this, and in the absence of more information, we will be closing this issue soon. If you find that this is still a problem, please feel free to provide a comment or add an upvote to prevent automatic closure, or if the issue is already closed, please feel free to open a new one.