bugfix: sts credential provider endpoint mode (#3198)

Author: stobrien89

.changes/nextrelease/sts-providers.json

@@ -0,0 +1,7 @@
+[
+  {
+    "type": "bugfix",
+    "category": "Credentials",
+    "description": "Fixes condition where certain STS credential providers call the regional `us-east-1` endpoint by default."
+  }
+]

src/Credentials/AssumeRoleWithWebIdentityCredentialProvider.php

@@ -36,6 +36,7 @@ class AssumeRoleWithWebIdentityCredentialProvider
 
     /** @var integer */
     private $tokenFileReadAttempts;
+
     /** @var string */
     private $source;
 
@@ -72,14 +73,17 @@ public function __construct(array $config = [])
         $this->tokenFileReadAttempts = 0;
         $this->session = $config['SessionName']
             ?? 'aws-sdk-php-' . round(microtime(true) * 1000);
-        $region = $config['region'] ?? 'us-east-1';
+        $region = $config['region'] ?? null;
         if (isset($config['client'])) {
             $this->client = $config['client'];
         } else {
             $this->client = new StsClient([
                 'credentials' => false,
-                'region' => $region,
-                'version' => 'latest'
+                'region' => $region ?? 'us-east-1',
+                'version' => 'latest',
+                'sts_regional_endpoints' => $region
+                    ? 'regional'
+                    : 'legacy'
             ]);
         }
 

src/Credentials/CredentialProvider.php

@@ -708,9 +708,7 @@ private static function loadRoleProfile(
         }
 
         if (empty($stsClient)) {
-            $sourceRegion = isset($profiles[$sourceProfileName]['region'])
-                ? $profiles[$sourceProfileName]['region']
-                : 'us-east-1';
+            $sourceRegion = $profiles[$sourceProfileName]['region'] ?? null;
             $config['preferStaticCredentials'] = true;
             $sourceCredentials = null;
             if (!empty($roleProfile['source_profile'])){
@@ -725,8 +723,11 @@ private static function loadRoleProfile(
             }
             $stsClient = new StsClient([
                 'credentials' => $sourceCredentials,
-                'region' => $sourceRegion,
+                'region' => $sourceRegion ?? 'us-east-1',
                 'version' => '2011-06-15',
+                'sts_regional_endpoints' => $sourceRegion
+                    ? 'regional'
+                    : 'legacy'
             ]);
         }
 

tests/Credentials/AssumeRoleWithWebIdentityCredentialProviderTest.php

@@ -6,6 +6,7 @@
 use Aws\Credentials\AssumeRoleWithWebIdentityCredentialProvider;
 use Aws\Credentials\Credentials;
 use Aws\Exception\AwsException;
+use Aws\Middleware;
 use Aws\Result;
 use Aws\Sts\StsClient;
 use Aws\Sts\Exception\StsException;
@@ -396,4 +397,85 @@ public function testCanDisableInvalidIdentityTokenRetries()
             unlink($tokenPath);
         }
     }
+
+    /**
+     * @dataProvider endpointConfigurationProvider
+     */
+    public function testEndpointConfigurationBasedOnRegion(
+        ?string $region,
+        string $expectedEndpoint,
+        string $description
+    ): void
+    {
+        $tokenFile = tempnam(sys_get_temp_dir(), 'token');
+        file_put_contents($tokenFile, 'test-token-content');
+
+        $config = [
+            'RoleArn' => self::SAMPLE_ROLE_ARN,
+            'WebIdentityTokenFile' => $tokenFile,
+        ];
+
+        if ($region !== null) {
+            $config['region'] = $region;
+        }
+
+
+        $provider = new AssumeRoleWithWebIdentityCredentialProvider($config);
+        $reflection = new \ReflectionClass($provider);
+        $clientProperty = $reflection->getProperty('client');
+        $stsClient = $clientProperty->getValue($provider);
+
+        $capturedEndpoint = null;
+        $stsClient->getHandlerList()->appendBuild(
+            Middleware::tap(
+                function ($cmd, $req) use (&$capturedEndpoint) {
+                    $capturedEndpoint = (string) $req->getUri();
+                }
+            )
+        );
+
+        $stsClient->getHandlerList()->setHandler(
+            function ($c, $r) {
+                $result = [
+                    'Credentials' => [
+                        'AccessKeyId'     => 'foo',
+                        'SecretAccessKey' => 'bar',
+                        'SessionToken'    => 'baz',
+                        'Expiration'      => DateTimeResult::fromEpoch(time() + 10)
+                    ],
+                    'AssumedRoleUser' => [
+                        'AssumedRoleId' => 'ARXXXXXXXXXXXXXXXXXXX:test_session',
+                        'Arn' => self::SAMPLE_ROLE_ARN . "/test_session"
+                    ]
+                ];
+                return Promise\Create::promiseFor(new Result($result));
+            }
+        );
+
+        $provider()->wait();
+
+        $this->assertEquals(
+            $expectedEndpoint,
+            $capturedEndpoint,
+            "Failed asserting endpoint for: {$description}"
+        );
+
+        unlink($tokenFile);
+    }
+
+    public function endpointConfigurationProvider(): array
+    {
+        return [
+            'explicit us-east-1 uses regional endpoint' => [
+                'region' => 'us-east-1',
+                'expectedEndpoint' => 'https://sts.us-east-1.amazonaws.com/',
+                'description' => 'explicit us-east-1'
+            ],
+            'no region defaults to us-east-1 with global endpoint' => [
+                'region' => null,
+                'expectedEndpoint' => 'https://sts.amazonaws.com/',
+                'description' => 'default region'
+            ]
+        ];
+    }
 }