Sessions: Use STS regional endpoint in assume role for opt-in regions #129
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
A bug was reported in cloudwatch when requesting resources and querying data for opt-in regions when the account is assuming a role. An error is returned from these endpoints
InvalidClientTokenId: The security token included in the request is invalid
Opt-in regions are regions in AWS that have to be manually enabled in an AWS account.
When requesting tokens with Amazon STS like we do when assuming role, we have to pass the
STSRegionalEndpoint
field with value 'regional' so that the returned tokens can be used in opt in regions. Otherwise global endpoint is used, which returns tokens that don't work with opt-in regions (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html)As of aws-sdk-go-v2, STS service uses regional endpoints by default so this shouldn't be high impact. There's also the best practices outlined in the docs above for v1 that suggest to use regional sts endpoints.
So far, we've suggested users set the
AWS_STS_REGIONAL_ENDPOINTS=regional
option in their env vars, which aws/aws-sdk would read. However, this isn't possible for hosted Grafana instances.Fixes https://github.com/grafana/support-escalations/issues/9155
To test this, you can use the assume role same account datasource from plugin provisioning, and query region eu-south-1 (opt in region that was manually enabled in the account). You should be getting "invalid token" before the fix, and query and resource requests with empty data after it and no errors