-
Notifications
You must be signed in to change notification settings - Fork 568
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
saml2aws CLI fails to call AWS APIs in opt-in regions #1313
Comments
Thank you for raising this issue. A few questions on this.
Quite possible, though I haven't had the time yet to look deeper into the code to give a definite answer. We are calling STS to obtain the credentials and it could be calling from global STS since it could be ignoring the env variables. |
Thank you for your response.
Based on these tests, it appears that |
Hello,
I am encountering an issue when using the
saml2aws
CLI tool to call AWS APIs in the opt-in regionil-central-1
(Tel Aviv) orap-southeast-4
(Melbourne) . The error message received is:Steps to Reproduce:
saml2aws
as per the instructions on the GitHub page.saml2aws login --force
to generate new credentials.il-central-1
orap-southeast-4
region. usingaws sts get-caller-identity
.Expected Behavior:
The saml2aws CLI tool should be able to call AWS APIs in the
il-central-1
orap-southeast-4
regions (or another opt-in region) using regional STS endpoints without any errors.Actual Behavior
The tool fails with the error:
No
AssumeRoleWithSAML
events are logged in CloudTrail for theil-central-1
orap-southeast-4
regions, indicating that the STS endpoints (sts.il-central-1.amazonaws.com or sts.ap-southeast-4.amazonaws.com) are not being reached. However, calling AWS APIs using the AWS CLI with IAM Role from an EC2 instance in the same regions works correctly with no issues.Environment
Additional Information
I have confirmed that the configuration is correct as per the GitHub instructions. Using
saml2aws
works in default regions likeus-east-1
oreu-west-1
, but fails in the opt-in regions likeil-central-1
andap-southeast-4
. The same environment variables and credentials work with the AWS CLI in these regions.Support Case Details
I have opened a support case with AWS Premium Support. The support engineer suggested that this might be an issue with the saml2aws tool itself, as it seems to be configured to use Global STS endpoints despite the environment variables being set to use regional endpoints.
Request
Could you please investigate this issue and provide a fix or workaround to allow
saml2aws
to work with regional STS endpoints in opt-in regions likeil-central-1
andap-southeast-4
?Thank you for your assistance!
The text was updated successfully, but these errors were encountered: