StsWebIdentityCredentialsProvider does not respect AWS_ENDPOINT_URL_STS
nico1207 opened this issue · comments
Describe the bug
The StsWebIdentityCredentialsProvider
that is part of the default credentials provider chain does not respect the AWS_ENDPOINT_URL_STS
environment variable when fetching the credentials from STS.
Instead it will simply call the default AWS URL.
Expected behavior
When setting AWS_ENDPOINT_URL_STS
I expect the SDK to use the specified STS URL for fetching credentials.
Current behavior
It uses the default AWS URL https://sts.us-west-2.amazonaws.com
Steps to Reproduce
- Set the
AWS_ENDPOINT_URL_STS
environment variable to a URL that should be called - Set
AWS_WEB_IDENTITY_TOKEN_FILE
to a file containing some JWT - Set
AWS_ROLE_ARN
to any valid role ARN - Use SDK to call any service via STS Web Identity Token
- See that the URL specified above is not used for authentication
Possible Solution
When creating the STS client the finalizeConfig
function of the StsClient
is not called, which would take the endpointUrl from the environment variables.
Alternatively, allow passing my own StsClient to the credentials provider (this is possible in Java SDK)
Context
Our backend services use a service-mesh to call AWS services and we can only call them via HTTP, not HTTPS. Thus, we have to change the endpointUrl to use HTTP.
AWS Kotlin SDK version used
1.0.51
Platform (JVM/JS/Native)
JVM
Operating System and version
MacOS 14.3 (M1)
Thanks for the report, I can indeed see this would be an issue with any nested client of the default chain.
We'll have to look at what we want to do here.