STSClient does not use environment variable for region controls

[nbbeeken]

Checkboxes for prior research

• I've gone through Developer Guide and API reference
• I've checked AWS Forums and StackOverflow.
• I've searched for previous similar issues and didn't find any solution.

Describe the bug

When invoking fromNodeProviderChain using IAM AssumeRoleWithWebIdentity I expect environment variables AWS_REGION / AWS_DEFAULT_REGION / AWS_STS_REGIONAL_ENDPOINTS to control the region that the STSClient uses to send the http request. However, it can be observed that the request is always routed to us-east-1 unless the region is programmatically set.

Documentation References:

• https://docs.aws.amazon.com/sdkref/latest/guide/feature-region.html
• https://docs.aws.amazon.com/sdkref/latest/guide/feature-sts-regionalized-endpoints.html

SDK version number

@aws-sdk/credential-providers@3.391.0

Which JavaScript Runtime is this issue in?

Node.js

Details of the browser/Node.js/ReactNative version

v20.2.0

Reproduction Steps

Running the fromNodeProviderChain function with http debugging turned on, like so:

node="$(which node)"
env -i \
  NODE_DEBUG="http" \
  AWS_WEB_IDENTITY_TOKEN_FILE="..path../web_token_file" \
  AWS_ROLE_ARN="arn:aws:iam::xxxxxxxxxxxx:role/xxx" \
  AWS_STS_REGIONAL_ENDPOINTS="regional" \
  AWS_REGION="us-west-2" \
  $node -e \
  "require('@aws-sdk/credential-providers').fromNodeProviderChain()().then(() => console.log('success'), e => console.log('error', e))"

Observed Behavior

Logs

HTTP 30987: createConnection sts.us-east-1.amazonaws.com:443

to the terminal, indicating the region variable and the sts_regional_endpoints are not having the desired effect.

Expected Behavior

The AWS_REGION variable along with the AWS_STS_REGIONAL_ENDPOINTS setting should have made the API call contact sts.us-west-2.amazonaws.com:443

Possible Solution

No response

Additional Information/Context

No response

[yenfryherrerafeliz]

Hi @nbbeeken, I can confirm that the default STS client, used internally to resolve credentials with web identity token, does not consider the AWS_DEFAULT_REGION variable to populate the region, instead it considers just either a region passed as parameter or the default one which is us-east-1. This can be confirmed in the following implementation here. However, I need to discuss with the team regarding if this is the expected behavior or not. As workaround, you have the option to explicitly provide the region you want the STS client to use, as follow:

import {ListBucketsCommand, S3Client} from "@aws-sdk/client-s3";
import {fromNodeProviderChain} from "@aws-sdk/credential-providers";

const credProvider = fromNodeProviderChain({
    clientConfig: {
        region: "YOUR-DESIRED-STS-REGION"
    }
});
const client = new S3Client({
    region: "us-east-2",
    credentials: credProvider
})
const response = await client.send(new ListBucketsCommand({}));

console.log(response)

Please let me know if that helps!

Thanks!

[nbbeeken]

Thank you for looking into this @yenfryherrerafeliz! As a library author providing direct control over these options means adding more knobs to our public API (ex. a pass-through object for users to provide their own options). It would be nice to avoid the need for bespoke controls like this when the docs point to these environment variables as the proper controls.

Thanks for the code sample, good to know I am on the right track with the workaround! You can see mongodb/node-mongodb-native#3831 we have translated the environment variables to options in the MongoDB driver since we need this to apply to existing versions of the SDK.

[gabegorelick]

This is definitely surprising behavior. At the very least, this needs to be documented. From what I can tell, it's not documented anywhere.

[swcm-mnestler]

I would go a step further and say that this is documented as "supported", and the fact that it does not work is a bug. Please at least update the documentation to reflect the actual behavior