Add support for regional STS endpoints

2022-11-09 13:50:52 -05:00 · 2021-05-03 15:56:42 -04:00 · 2021-05-03 15:56:42 -04:00 · cbd3354777
commit cbd3354777
parent d58fbe6cdf
2 changed files with 26 additions and 3 deletions
--- a/lib/fog/aws/credential_fetcher.rb
+++ b/lib/fog/aws/credential_fetcher.rb
@ -13,8 +13,6 @@ module Fog

      CONTAINER_CREDENTIALS_HOST = "http://169.254.170.2"

-      STS_GLOBAL_ENDPOINT = "https://sts.amazonaws.com"
-
      module ServiceMethods
        def fetch_credentials(options)
          if options[:use_iam_profile] && Fog.mocking?
@ -44,7 +42,14 @@ module Fog
                  :WebIdentityToken => File.read(options[:aws_web_identity_token_file] || ENV.fetch("AWS_WEB_IDENTITY_TOKEN_FILE")),
                  :Version => "2011-06-15",
                }
-                connection = options[:connection] || Excon.new(STS_GLOBAL_ENDPOINT, :query => params)
+
+                if ENV["AWS_STS_REGIONAL_ENDPOINTS"] == "regional" && ENV["AWS_DEFAULT_REGION"]
+                  STS_ENDPOINT = "https://sts.#{ENV['AWS_DEFAULT_REGION']}.amazonaws.com"
+                else
+                  STS_ENDPOINT = "https://sts.amazonaws.com"
+                end
+
+                connection = options[:connection] || Excon.new(STS_ENDPOINT, :query => params)
                document = Nokogiri::XML(connection.get(:idempotent => true, :expects => 200).body)

                session = {
--- a/tests/credentials_tests.rb
+++ b/tests/credentials_tests.rb
@ -83,6 +83,7 @@ Shindo.tests('AWS | credentials', ['aws']) do
        aws_secret_access_key: 'dummysecret',
        aws_session_token: 'dummytoken',
        region: 'us-west-1',
+        STS_ENDPOINT: "https://sts.amazonaws.com"
        aws_credentials_expire_at: expires_at
      ) { Fog::AWS::Compute.fetch_credentials(use_iam_profile: true) }
    end
@ -95,10 +96,27 @@ Shindo.tests('AWS | credentials', ['aws']) do
        aws_secret_access_key: 'dummysecret',
        aws_session_token: 'dummytoken',
        region: 'us-west-1',
+        STS_ENDPOINT: "https://sts.amazonaws.com"
        aws_credentials_expire_at: expires_at
      ) { Fog::AWS::Compute.fetch_credentials(use_iam_profile: true) }
    end

+    ENV["AWS_STS_REGIONAL_ENDPOINTS"] = "regional"
+    ENV["AWS_REGION"] = "us-west-1"
+
+    tests('#fetch_credentials with regional sts endpoint') do
+      returns(
+        aws_access_key_id: 'dummykey',
+        aws_secret_access_key: 'dummysecret',
+        aws_session_token: 'dummytoken',
+        region: 'us-west-1',
+        STS_ENDPOINT: "https://sts.us-west-1.amazonaws.com"
+        aws_credentials_expire_at: expires_at
+      ) { Fog::AWS::Compute.fetch_credentials(use_iam_profile: true) }
+    end
+
+    ENV["AWS_STS_REGIONAL_ENDPOINTS"] = nil
+    ENV["AWS_REGION"] = nil
    ENV['AWS_WEB_IDENTITY_TOKEN_FILE'] = nil

    compute = Fog::AWS::Compute.new(use_iam_profile: true)