Assume Role With Web Identity doesn't respect region

[liorpsweetsecurity]

Describe the bug

Running aws sts assume-role-with-web-identity --role-arn ${ROLE_ARN} --web-identity-token ${ACCESS_TOKEN}--role-session-name${SESSION_NAME} --region us-east-2 seems to send to us-east-1.

Expected Behavior

I expect to see corresponding events in the cloudtrail associated with us-east-2.

Current Behavior

I see AssumeRoleWithWebIdentity events under us-east-1 cloud trail.

Reproduction Steps

Run aws sts assume-role-with-web-identity --role-arn ${ROLE_ARN} --web-identity-token ${ACCESS_TOKEN}--role-session-name${SESSION_NAME} --region us-east-2.
Check cloudtrail logs.
It seems to be in us-east-1, regardless of the region parameter.

Possible Solution

No response

Additional Information/Context

No response

CLI version used

aws-cli/1.18.69 Python/3.8.10 Linux/5.15.0-1064-azure botocore/1.16.19

Environment details (OS name and version, etc.)

NAME="Ubuntu" VERSION="20.04.6 LTS (Focal Fossa)" ID=ubuntu ID_LIKE=debian PRETTY_NAME="Ubuntu 20.04.6 LTS" VERSION_ID="20.04" HOME_URL="https://www.ubuntu.com/" SUPPORT_URL="https://help.ubuntu.com/" BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/" PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy" VERSION_CODENAME=focal UBUNTU_CODENAME=focal

[arianvp]

I think this is expected behaviour. IAM will always reach out to the global sts.amazonaws.com (which is in us-east-1). The region parameter is for API operations after IAM auth has completed.

Instead you have to specify the endpoint URL I think? There's a similar issue with some more context / solutions here: #4370

[arianvp]

apparently

export AWS_STS_REGIONAL_ENDPOINTS=regional

is what you need according to that issue.

[tim-finnigan]

Thanks for reaching out. What @arianvp mentioned above is correct, and here is the documentation for that environment variable: https://docs.aws.amazon.com/sdkref/latest/guide/feature-sts-regionalized-endpoints.html

Noted in the documentation is the following:

All new SDK major versions releasing after July 2022 will default to regional. New SDK major versions might remove this setting and use regional behavior. To reduce future impact regarding this change, we recommend you start using regional in your application when possible.

Currently it would be a breaking change for users who expect and rely on the current behavior. But this is something that can be addressed in the next major version of boto3, similar to how it was introduced in CLI v2 as noted here.

I'll also note that 1.18.69 is an extremely old version. The latest v1 version is 1.33.1. Also we highly recommend migrating to v2 if possible.

Converting this to a Q&A discussion as it is the expected behavior and not a bug.