fix: Fixes STS region resolution when using cross-region authentication #3718
Conversation
maastha
changed the title
|
APIx bot: a message has been sent to Docs Slack channel |
There was a problem hiding this comment.
Pull Request Overview
This PR fixes STS region resolution when using cross-region authentication in the MongoDB Atlas Terraform provider. The fix addresses an issue where the provider wasn't correctly handling STS endpoint configuration when AWS credentials are in one region but the STS endpoint is in another region.
- Refactors STS endpoint resolution logic to properly derive signing regions from endpoint URLs
- Adds utility functions for parsing STS endpoints and resolving regional configurations
- Introduces comprehensive test coverage for cross-region authentication scenarios
Reviewed Changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| internal/provider/credentials.go | Implements new STS endpoint resolution logic with proper region parsing |
| internal/provider/credentials_test.go | Adds comprehensive test coverage for STS endpoint resolution functions |
| .github/workflows/acceptance-tests-runner.yml | Updates CI to test cross-region authentication scenarios with matrix strategy |
| .changelog/3718.txt | Adds changelog entry documenting the bug fix |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
|
will hold off on merging this until we hear back from the customer |
| fail-fast: false | ||
| matrix: | ||
| include: | ||
| # Same region |
There was a problem hiding this comment.
nit: the name makes it clear, no need for the comments
There was a problem hiding this comment.
made the comment more clear and specific in 06a0b97. I think it's useful
| # Cross-region | ||
| - name: cross-sts-us-east-1-secret-eu-north-1 | ||
| aws_region: EU_NORTH_1 | ||
| sts_endpoint: https://sts.us-east-1.amazonaws.com/ |
There was a problem hiding this comment.
although the test group list is "polluted" instead of having only one entry for assume_role, i think it's good use case for matrix.
also we'll need to merge with changes in SA dev branch, we might need to remove the matrix approach if we want to keep all authentication tests together, but that's ok. cc @oarbusi
no need for action about this comment.
|
|
||
| return endpoints.ResolvedEndpoint{ | ||
| URL: ep, | ||
| SigningRegion: signingRegion, |
There was a problem hiding this comment.
do you mind to check if SigningRegion is really needed or URL is enough so we don't need to calculate the sts region?
There was a problem hiding this comment.
+1, can we actually check how AWS does it?
There was a problem hiding this comment.
Yes, SigningRegion is needed. URL alone isn’t sufficient.
-
The AWS signer uses the client’s region when SigningRegion is not set. In this case, the client region is the Secrets Manager region, which may not match the STS endpoint’s region.
-
For the global endpoint sts.amazonaws.com, requests must be signed with us-east-1; without setting SigningRegion, signatures will be computed with the client region and can fail.
-
For regional STS endpoints, the signature must match that region as well.
| runs-on: ubuntu-latest | ||
| strategy: | ||
| fail-fast: false | ||
| matrix: |
| if err != nil { | ||
| return DefaultRegionSTS | ||
| } | ||
| host := u.Hostname() // valid values: sts.us-west-2.amazonaws.com or sts.amazonaws.com |
There was a problem hiding this comment.
This removes the port if provided, correct? Not sure if needed.
There was a problem hiding this comment.
exactly, "Hostname returns u.Host, stripping any valid port number if present.". It's not strictly necessary but with it we make sure at this point we have either sts.us-west-2.amazonaws.com or sts.amazonaws.com
| ep = fmt.Sprintf("https://sts.%s.amazonaws.com/", r) | ||
| } | ||
|
|
||
| signingRegion := DeriveSTSRegionFromEndpoint(ep) |
There was a problem hiding this comment.
If the endpoint is "", no need to derive the region since we know it already.
There was a problem hiding this comment.
if endpoint is "" the region can be secretsRegion or default region. I think we can keep this as is to avoid having repeated logic(e.g. if r == ""). WDYT?
There was a problem hiding this comment.
I was thinking something along the lines of:
ep := stsEndpoint
var signingRegion string
if ep == "" {
signingRegion = secretsRegion
if signingRegion == "" {
signingRegion = DefaultRegionSTS
}
ep = fmt.Sprintf("https://sts.%s.amazonaws.com/", signingRegion)
} else {
signingRegion = DeriveSTSRegionFromEndpoint(ep)
}But ok either way
| @@ -0,0 +1,3 @@ | |||
| ```release-note:bug | |||
| provider: Fixes STS region resolution when using cross-region authentication | |||
There was a problem hiding this comment.
I think that it'd have been better to create an associated cloudp ticket
| @@ -0,0 +1,3 @@ | |||
| ```release-note:bug | |||
| provider: Fixes STS region resolution when using cross-region authentication | |||
| include: | ||
| # Same region | ||
| - name: same-region-us-east-1 | ||
| aws_region: US_EAST_1 |
There was a problem hiding this comment.
nit: could we lease a comment to explain what this aws_region is used for?
| runs-on: ubuntu-latest | ||
| strategy: | ||
| fail-fast: false | ||
| matrix: |
|
|
||
| return endpoints.ResolvedEndpoint{ | ||
| URL: ep, | ||
| SigningRegion: signingRegion, |
There was a problem hiding this comment.
+1, can we actually check how AWS does it?
| sess := session.Must(session.NewSession(&aws.Config{ | ||
| Region: aws.String(region), | ||
| Credentials: credentials.NewStaticCredentials(awsAccessKeyID, awsSecretAccessKey, awsSessionToken), | ||
| STSRegionalEndpoint: ep, |
There was a problem hiding this comment.
curious why we don't need this/
| return *cfg, nil | ||
| } | ||
|
|
||
| func DeriveSTSRegionFromEndpoint(ep string) string { |
There was a problem hiding this comment.
any chance we could easily unit test this?
There was a problem hiding this comment.
sweet, you've done it- ignore me
…on (#3718) * update provider to infer region from sts_endpoint * changelog * fmt * nit * nit * fmt * unit tests * test * nit * nit * nit * improve clarity of comment * use asserts in unit test * use const instead of magic number --------- Co-authored-by: Oriol Arbusi Abadal <oriol.abadal@mongodb.com>
… authentication (#3718)" (#3731) * fix: Fixes STS region resolution when using cross-region authentication (#3718) * update provider to infer region from sts_endpoint * changelog * fmt * nit * nit * fmt * unit tests * test * nit * nit * nit * improve clarity of comment * use asserts in unit test * use const instead of magic number --------- Co-authored-by: Oriol Arbusi Abadal <oriol.abadal@mongodb.com> * rename changelog file --------- Co-authored-by: maastha <122359335+maastha@users.noreply.github.com>
Description
Fixes STS region resolution when using cross-region authentication in the MongoDB Atlas Terraform provider. The fix addresses an issue where the provider wasn't correctly handling STS endpoint configuration when AWS credentials are in one region but the STS endpoint is in another region.
Link to any related issue(s): CLOUDP-347906
Type of change:
Required Checklist:
Further comments