You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When a user specifies an endpoint as part of their KMS config eg awskms://[endpoint]/[arn] then this only works if the client does not also have to call STS as well, such as when making a "AssumeRoleWithWebIdentity` call used by clients within a kubernetes cluster. STS has a different endpoint to KMS but https://github.com/sigstore/sigstore/blob/main/pkg/signature/kms/aws/client.go specifies a single endpoint override for all calls, meaning STS fails with an unknown command response as it tries to send the STS action to the KMS endpoint the user specified in their config string. If STS is being used, its endpoint shouldn't be overwritten by the same mechanism that overwrites the endpoint for KMS.
Version
fulcio helm
The text was updated successfully, but these errors were encountered:
Description
When a user specifies an endpoint as part of their KMS config eg
awskms://[endpoint]/[arn]
then this only works if the client does not also have to call STS as well, such as when making a "AssumeRoleWithWebIdentity` call used by clients within a kubernetes cluster. STS has a different endpoint to KMS but https://github.com/sigstore/sigstore/blob/main/pkg/signature/kms/aws/client.go specifies a single endpoint override for all calls, meaning STS fails with an unknown command response as it tries to send the STS action to the KMS endpoint the user specified in their config string. If STS is being used, its endpoint shouldn't be overwritten by the same mechanism that overwrites the endpoint for KMS.Version
fulcio helm
The text was updated successfully, but these errors were encountered: