-
Notifications
You must be signed in to change notification settings - Fork 185
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AWS IAM Authentication should provide a way to sign request for the global STS endpoint (eu-east-1) #758
Comments
I'm not too familiar with the AWS API nor the SDK, we would be happy if you would submit a pull request so we can discuss the actual change and make it work in the context of Spring Vault. |
Changes done in PR #763 |
Hi @mp911de 👋 Any chances to see this shipped with release |
Looking at the PR, we already provide a way to set the AWS region. Having a method named |
You are totally right on that point. By digging further, it appears we are blocked because of the use of spring-cloud-vault that does not provide a way to set the region. I will create an issue and a PR there. Thanks for you time. |
Since
v3.0.x
, theAwsIamAuthentication
is using the AWS region computed bysoftware.amazon.awssdk.regions.providers.DefaultAwsRegionProviderChain
, especially to sign the headers for the AWS v4 API, which is a good point.But in some cases, the Vault instance which is making the proxy call to AWS, is configured to use the global STS endpoint (on
us-east-1
), which is the default behavior. And for security reasons, Vault is not using theiam_request_url
parameter.As a consequence, you end up with an application deployed in a region A and a Vault instance using the global STS endpoint, without no easy way to use the
spring-vault
client to login.Therefore, I think we should provide a way to sign request for the global STS endpoint (eu-east-1) by offering a dedicated option and
I will be glad to help on that.
The text was updated successfully, but these errors were encountered: