Expected Behavior

gimme-aws-creds should be able to authenticate the user and get temporary AWS creds, regardless of what AWS regions are down - assuming Okta is still functional.

Current Behavior

If us-east-1 is down, the generation of temporary credentials fails.

Possible Solution

Ideally, AWS would provide true multi-region failover for the STS and SAML endpoints (sts.aws.amazon.com and signin.aws.amazon.com). However, both of these "global" URLs just point at the endpoints in us-east-1, so if there's a regional failure there (as there was on 6/13/2023), SAML authentication for the console and gimme-aws-creds will fail.

The STS issue is already handled in gimme-aws-creds 2.7.0 - if you set the AWS_STS_REGION environment variable to force the use of a specific AWS region, you can avoid an outage in us-east-1. However, a failure for signin.aws.amazon.com is more complicated. The instructions for this workaround are available here. This solution requires changes to the Okta configuration for each of your AWS apps, modification of every role in your AWS accounts and a manual configuration change when there is an outage in your "preferred" AWS region. gimme-aws-creds also needs to be updated, because it assumes that https://signin.aws.amazon.com will always be the ACS URL in SAML responses for AWS. Instead, it needs to allow https://{aws_region}.signin.aws.amazon.com as well. We can't assume this will be the same value as AWS_STS_REGION because the user is not in control of what region should be used for sign in - that is controlled by the Okta app configuration.