secrets/aws: add sts_region parameter to root config (#22726)

* Set region parameter to be used for STS only on AWS secrets engine

* Add changelog

* Fix formatting

* region fix when not setting iam_endpoint or sts_endpoint

* Add 'sts_region' parameter for AWS secrets engine.

* Update TestBackend_PathConfigRoot for aws secrets

* Update changelog entry

---------

Co-authored-by: Robert <17119716+robmonte@users.noreply.github.com>

builtin/logical/aws/client.go

@@ -48,6 +48,9 @@ func (b *backend) getRootConfig(ctx context.Context, s logical.Storage, clientTy
 			endpoint = *aws.String(config.IAMEndpoint)
 		case clientType == "sts" && config.STSEndpoint != "":
 			endpoint = *aws.String(config.STSEndpoint)
+			if config.STSRegion != "" {
+				credsConfig.Region = config.STSRegion
+			}
 		}
 
 		if config.IdentityTokenAudience != "" {

builtin/logical/aws/path_config_root.go

@@ -48,6 +48,10 @@ func pathConfigRoot(b *backend) *framework.Path {
 				Type:        framework.TypeString,
 				Description: "Endpoint to custom STS server URL",
 			},
+			"sts_region": {
+				Type:        framework.TypeString,
+				Description: "Specific region for STS API calls.",
+			},
 			"max_retries": {
 				Type:        framework.TypeInt,
 				Default:     aws.UseServiceDefaultRetries,
@@ -110,6 +114,7 @@ func (b *backend) pathConfigRootRead(ctx context.Context, req *logical.Request,
 		"region":            config.Region,
 		"iam_endpoint":      config.IAMEndpoint,
 		"sts_endpoint":      config.STSEndpoint,
+		"sts_region":        config.STSRegion,
 		"max_retries":       config.MaxRetries,
 		"username_template": config.UsernameTemplate,
 		"role_arn":          config.RoleARN,
@@ -125,6 +130,7 @@ func (b *backend) pathConfigRootWrite(ctx context.Context, req *logical.Request,
 	region := data.Get("region").(string)
 	iamendpoint := data.Get("iam_endpoint").(string)
 	stsendpoint := data.Get("sts_endpoint").(string)
+	stsregion := data.Get("sts_region").(string)
 	maxretries := data.Get("max_retries").(int)
 	roleARN := data.Get("role_arn").(string)
 	usernameTemplate := data.Get("username_template").(string)
@@ -140,6 +146,7 @@ func (b *backend) pathConfigRootWrite(ctx context.Context, req *logical.Request,
 		SecretKey:        data.Get("secret_key").(string),
 		IAMEndpoint:      iamendpoint,
 		STSEndpoint:      stsendpoint,
+		STSRegion:        stsregion,
 		Region:           region,
 		MaxRetries:       maxretries,
 		UsernameTemplate: usernameTemplate,
@@ -193,6 +200,7 @@ type rootConfig struct {
 	SecretKey        string `json:"secret_key"`
 	IAMEndpoint      string `json:"iam_endpoint"`
 	STSEndpoint      string `json:"sts_endpoint"`
+	STSRegion        string `json:"sts_region"`
 	Region           string `json:"region"`
 	MaxRetries       int    `json:"max_retries"`
 	UsernameTemplate string `json:"username_template"`

builtin/logical/aws/path_config_root_test.go

@@ -30,6 +30,7 @@ func TestBackend_PathConfigRoot(t *testing.T) {
 		"region":                  "us-west-2",
 		"iam_endpoint":            "https://iam.amazonaws.com",
 		"sts_endpoint":            "https://sts.us-west-2.amazonaws.com",
+		"sts_region":              "",
 		"max_retries":             10,
 		"username_template":       defaultUserNameTemplate,
 		"role_arn":                "",

changelog/22726.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+secrets/aws: Add sts_region parameter to root config for STS API calls.
+```