AWS IAM Authentication should provide a way to sign request for the global STS endpoint (eu-east-1)

[Amuerte]

Since v3.0.x, the AwsIamAuthentication is using the AWS region computed by software.amazon.awssdk.regions.providers.DefaultAwsRegionProviderChain, especially to sign the headers for the AWS v4 API, which is a good point.

But in some cases, the Vault instance which is making the proxy call to AWS, is configured to use the global STS endpoint (on us-east-1), which is the default behavior. And for security reasons, Vault is not using the iam_request_url parameter.

As a consequence, you end up with an application deployed in a region A and a Vault instance using the global STS endpoint, without no easy way to use the spring-vault client to login.

Therefore, I think we should provide a way to sign request for the global STS endpoint (eu-east-1) by offering a dedicated option and
I will be glad to help on that.

[mp911de]

I'm not too familiar with the AWS API nor the SDK, we would be happy if you would submit a pull request so we can discuss the actual change and make it work in the context of Spring Vault.

[Amuerte]

Changes done in PR #763

[Amuerte]

Hi @mp911de 👋

Any chances to see this shipped with release 3.0.2 ?

[mp911de]

Looking at the PR, we already provide a way to set the AWS region. Having a method named useGlobalRegion that sets the region doesn't make sense as the region can be set already.

[Amuerte]

You are totally right on that point. By digging further, it appears we are blocked because of the use of spring-cloud-vault that does not provide a way to set the region. I will create an issue and a PR there. Thanks for you time.