Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AWS KMS fails to use STS when endpoint is provided #1175

Open
ChevronTango opened this issue May 21, 2023 · 0 comments
Open

AWS KMS fails to use STS when endpoint is provided #1175

ChevronTango opened this issue May 21, 2023 · 0 comments
Labels
bug Something isn't working

Comments

@ChevronTango
Copy link

Description

When a user specifies an endpoint as part of their KMS config eg awskms://[endpoint]/[arn] then this only works if the client does not also have to call STS as well, such as when making a "AssumeRoleWithWebIdentity` call used by clients within a kubernetes cluster. STS has a different endpoint to KMS but https://github.com/sigstore/sigstore/blob/main/pkg/signature/kms/aws/client.go specifies a single endpoint override for all calls, meaning STS fails with an unknown command response as it tries to send the STS action to the KMS endpoint the user specified in their config string. If STS is being used, its endpoint shouldn't be overwritten by the same mechanism that overwrites the endpoint for KMS.

Version

fulcio helm
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ChevronTango