WIP try explicitly enabling regional STS endpoints

upup/pkg/fi/cloudup/awsup/aws_authenticator.go

@@ -25,6 +25,7 @@ import (
 
 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/aws/ec2metadata"
+	"github.com/aws/aws-sdk-go/aws/endpoints"
 	"github.com/aws/aws-sdk-go/aws/session"
 	"github.com/aws/aws-sdk-go/service/sts"
 	"k8s.io/kops/upup/pkg/fi"
@@ -57,7 +58,10 @@ func RegionFromMetadata(ctx context.Context) (string, error) {
 }
 
 func NewAWSAuthenticator(region string) (fi.Authenticator, error) {
-	config := aws.NewConfig().WithCredentialsChainVerboseErrors(true).WithRegion(region)
+	config := aws.NewConfig().
+		WithCredentialsChainVerboseErrors(true).
+		WithRegion(region).
+		WithSTSRegionalEndpoint(endpoints.RegionalSTSEndpoint)
 	sess, err := session.NewSession(config)
 	if err != nil {
 		return nil, err

upup/pkg/fi/cloudup/awsup/aws_verifier.go

@@ -32,6 +32,7 @@ import (
 	"time"
 
 	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/aws/endpoints"
 	"github.com/aws/aws-sdk-go/aws/session"
 	"github.com/aws/aws-sdk-go/service/ec2"
 	"github.com/aws/aws-sdk-go/service/sts"
@@ -60,7 +61,10 @@ type awsVerifier struct {
 var _ fi.Verifier = &awsVerifier{}
 
 func NewAWSVerifier(opt *AWSVerifierOptions) (fi.Verifier, error) {
-	config := aws.NewConfig().WithCredentialsChainVerboseErrors(true).WithRegion(opt.Region)
+	config := aws.NewConfig().
+		WithCredentialsChainVerboseErrors(true).
+		WithRegion(opt.Region).
+		WithSTSRegionalEndpoint(endpoints.RegionalSTSEndpoint)
 	sess, err := session.NewSession(config)
 	if err != nil {
 		return nil, err