diff --git a/builtin/logical/aws/client.go b/builtin/logical/aws/client.go index dd6a581966..802abb3d1d 100644 --- a/builtin/logical/aws/client.go +++ b/builtin/logical/aws/client.go @@ -48,6 +48,9 @@ func (b *backend) getRootConfig(ctx context.Context, s logical.Storage, clientTy endpoint = *aws.String(config.IAMEndpoint) case clientType == "sts" && config.STSEndpoint != "": endpoint = *aws.String(config.STSEndpoint) + if config.STSRegion != "" { + credsConfig.Region = config.STSRegion + } } if config.IdentityTokenAudience != "" { diff --git a/builtin/logical/aws/path_config_root.go b/builtin/logical/aws/path_config_root.go index 93fccc370e..741c8502d0 100644 --- a/builtin/logical/aws/path_config_root.go +++ b/builtin/logical/aws/path_config_root.go @@ -48,6 +48,10 @@ func pathConfigRoot(b *backend) *framework.Path { Type: framework.TypeString, Description: "Endpoint to custom STS server URL", }, + "sts_region": { + Type: framework.TypeString, + Description: "Specific region for STS API calls.", + }, "max_retries": { Type: framework.TypeInt, Default: aws.UseServiceDefaultRetries, @@ -110,6 +114,7 @@ func (b *backend) pathConfigRootRead(ctx context.Context, req *logical.Request, "region": config.Region, "iam_endpoint": config.IAMEndpoint, "sts_endpoint": config.STSEndpoint, + "sts_region": config.STSRegion, "max_retries": config.MaxRetries, "username_template": config.UsernameTemplate, "role_arn": config.RoleARN, @@ -125,6 +130,7 @@ func (b *backend) pathConfigRootWrite(ctx context.Context, req *logical.Request, region := data.Get("region").(string) iamendpoint := data.Get("iam_endpoint").(string) stsendpoint := data.Get("sts_endpoint").(string) + stsregion := data.Get("sts_region").(string) maxretries := data.Get("max_retries").(int) roleARN := data.Get("role_arn").(string) usernameTemplate := data.Get("username_template").(string) @@ -140,6 +146,7 @@ func (b *backend) pathConfigRootWrite(ctx context.Context, req *logical.Request, SecretKey: data.Get("secret_key").(string), IAMEndpoint: iamendpoint, STSEndpoint: stsendpoint, + STSRegion: stsregion, Region: region, MaxRetries: maxretries, UsernameTemplate: usernameTemplate, @@ -193,6 +200,7 @@ type rootConfig struct { SecretKey string `json:"secret_key"` IAMEndpoint string `json:"iam_endpoint"` STSEndpoint string `json:"sts_endpoint"` + STSRegion string `json:"sts_region"` Region string `json:"region"` MaxRetries int `json:"max_retries"` UsernameTemplate string `json:"username_template"` diff --git a/builtin/logical/aws/path_config_root_test.go b/builtin/logical/aws/path_config_root_test.go index 783745ac0e..9c1ed0476f 100644 --- a/builtin/logical/aws/path_config_root_test.go +++ b/builtin/logical/aws/path_config_root_test.go @@ -30,6 +30,7 @@ func TestBackend_PathConfigRoot(t *testing.T) { "region": "us-west-2", "iam_endpoint": "https://iam.amazonaws.com", "sts_endpoint": "https://sts.us-west-2.amazonaws.com", + "sts_region": "", "max_retries": 10, "username_template": defaultUserNameTemplate, "role_arn": "", diff --git a/changelog/22726.txt b/changelog/22726.txt new file mode 100644 index 0000000000..7da05f7948 --- /dev/null +++ b/changelog/22726.txt @@ -0,0 +1,3 @@ +```release-note:bug +secrets/aws: Add sts_region parameter to root config for STS API calls. +``` \ No newline at end of file