propgate config.Region in the IAM and STS clients #30312
Conversation
We weren't handling config.Region values in some high-default environments, and not handling gov-cloud iam values correctly. Reflow how default values propagate through the code and attempt to fix the region/endpoint values at the end. Also try to fix the slices if they end up mismatched, and ensure we have explicit value setting escape hatches in case we forgot something.
|
CI Results: |
|
Build Results: |
| t.Fatalf("got %d configs, but expected 1", len(cfgs)) | ||
| } | ||
|
|
||
| if *(cfgs[0].Endpoint) != "" { |
There was a problem hiding this comment.
The reason why we need the endpoint to be held blank is that in official AWS IAM, the endpoint being set seems to fail the client setup, even if the endpoint matches what is specified on the AWS Endpoints list[1]. Apparently it needs to be blank (or some value I haven't been able to find.)
[1] https://docs.aws.amazon.com/general/latest/gr/iam-service.html
| @@ -24,8 +24,6 @@ import ( | |||
| "github.com/hashicorp/vault/sdk/logical" | |||
| ) | |||
|
|
|||
| const fallbackEndpoint = "https://sts.amazonaws.com" // this is not regionally distributed; all requests go to us-east-1 | |||
There was a problem hiding this comment.
This was unused, so I removed it.
| @@ -81,13 +79,19 @@ func (b *backend) getRootConfigs(ctx context.Context, s logical.Storage, clientT | |||
| credsConfig.HTTPClient = cleanhttp.DefaultClient() | |||
| credsConfig.Logger = logger | |||
|
|
|||
| if config.Region != "" { | |||
There was a problem hiding this comment.
This (probably) was the bug that was causing gov-cloud issues - we weren't pre-setting the region defined in the config, so it was getting lost.
| endpoints = append(endpoints, matchingSTSEndpoint(fallbackRegion)) | ||
| case "iam": | ||
| endpoints = append(endpoints, "https://iam.amazonaws.com") // see https://docs.aws.amazon.com/general/latest/gr/iam-service.html | ||
| if len(endpoints) == 0 { |
There was a problem hiding this comment.
It is possible for no endpoint to be supplied even if a region was - in particular in the IAM case, which expects no endpoint unless a third-party reimplementer of IAM is being used.
This PR should resolve an issue with certain secrets/aws configurations where we weren't properly handling default values, and additionally where we weren't handling GovCloud iam endpoints.
This change will allow the config.Region setting to flow through as the default in all cases for IAM, and when no stsRegion is set for STS. The fallback values (AWS_REGION, etc) will show up in fewer cases.
In the GovCloud case, it's possible that one might be able to work around the existing issue by setting the
AWS_REGIONenvironment variable and explicitly setting theiam_endpointvalue.Areas of Concern:
I tested this to work on all permutations of IAM and STS endpoints, regions, etc, that I could think of, but
TODO only if you're a HashiCorp employee
backport/label that matches the desired release branch. Note that in the CE repo, the latest release branch will look likebackport/x.x.x, but older release branches will bebackport/ent/x.x.x+ent.