StsWebIdentityCredentialsProvider does not respect AWS_ENDPOINT_URL_STS

Question

StsWebIdentityCredentialsProvider does not respect AWS_ENDPOINT_URL_STS

nico1207 opened this issue 3 months ago · comments

Describe the bug

The StsWebIdentityCredentialsProvider that is part of the default credentials provider chain does not respect the AWS_ENDPOINT_URL_STS environment variable when fetching the credentials from STS.
Instead it will simply call the default AWS URL.

Expected behavior

When setting AWS_ENDPOINT_URL_STS I expect the SDK to use the specified STS URL for fetching credentials.

Current behavior

It uses the default AWS URL https://sts.us-west-2.amazonaws.com

Steps to Reproduce

Set the AWS_ENDPOINT_URL_STS environment variable to a URL that should be called
Set AWS_WEB_IDENTITY_TOKEN_FILE to a file containing some JWT
Set AWS_ROLE_ARN to any valid role ARN
Use SDK to call any service via STS Web Identity Token
See that the URL specified above is not used for authentication

Possible Solution

When creating the STS client the finalizeConfig function of the StsClient is not called, which would take the endpointUrl from the environment variables.

Alternatively, allow passing my own StsClient to the credentials provider (this is possible in Java SDK)

Context

Our backend services use a service-mesh to call AWS services and we can only call them via HTTP, not HTTPS. Thus, we have to change the endpointUrl to use HTTP.

AWS Kotlin SDK version used

1.0.51

Platform (JVM/JS/Native)

JVM

Operating System and version

MacOS 14.3 (M1)

Aaron Todd · Answer 1 · Mon Feb 12 2024 21:41:58 GMT+0800 (China Standard Time)

Thanks for the report, I can indeed see this would be an issue with any nested client of the default chain.

We'll have to look at what we want to do here.