fix(credential-providers): use modified region resolver for inner STS clients

Author: kuhe

clients/client-sts/src/defaultStsRoleAssumers.ts

@@ -2,6 +2,7 @@
 // Please do not touch this file. It's generated from template in:
 // https://github.com/aws/aws-sdk-js-v3/blob/main/codegen/smithy-aws-typescript-codegen/src/main/resources/software/amazon/smithy/aws/typescript/codegen/sts-client-defaultStsRoleAssumers.ts
 import { setCredentialFeature } from "@aws-sdk/core/client";
+import { stsRegionDefaultResolver } from "@aws-sdk/region-config-resolver";
 import type { CredentialProviderOptions } from "@aws-sdk/types";
 import { AwsCredentialIdentity, Logger, Provider } from "@smithy/types";
 
@@ -28,8 +29,6 @@ export type RoleAssumer = (
   params: AssumeRoleCommandInput
 ) => Promise<AwsCredentialIdentity>;
 
-const ASSUME_ROLE_DEFAULT_REGION = "us-east-1";
-
 interface AssumedRoleUser {
   /**
    * The ARN of the temporary security credentials that are returned from the AssumeRole action.
@@ -63,19 +62,21 @@ const getAccountIdFromAssumedRoleUser = (assumedRoleUser?: AssumedRoleUser) => {
 const resolveRegion = async (
   _region: string | Provider<string> | undefined,
   _parentRegion: string | Provider<string> | undefined,
-  credentialProviderLogger?: Logger
+  credentialProviderLogger?: Logger,
+  loaderConfig: Parameters<typeof stsRegionDefaultResolver>[0] = {}
 ): Promise<string> => {
   const region: string | undefined = typeof _region === "function" ? await _region() : _region;
   const parentRegion: string | undefined = typeof _parentRegion === "function" ? await _parentRegion() : _parentRegion;
+  const stsDefaultRegion = await stsRegionDefaultResolver(loaderConfig)();
 
   credentialProviderLogger?.debug?.(
     "@aws-sdk/client-sts::resolveRegion",
     "accepting first of:",
-    `${region} (provider)`,
-    `${parentRegion} (parent client)`,
-    `${ASSUME_ROLE_DEFAULT_REGION} (STS default)`
+    `${region} (credential provider clientConfig)`,
+    `${parentRegion} (contextual client)`,
+    `${stsDefaultRegion} (STS default: AWS_REGION, profile region, or us-east-1)`
   );
-  return region ?? parentRegion ?? ASSUME_ROLE_DEFAULT_REGION;
+  return region ?? parentRegion ?? stsDefaultRegion;
 };
 
 /**
@@ -101,7 +102,11 @@ export const getDefaultRoleAssumer = (
       const resolvedRegion = await resolveRegion(
         region,
         stsOptions?.parentClientConfig?.region,
-        credentialProviderLogger
+        credentialProviderLogger,
+        {
+          logger,
+          profile,
+        }
       );
       const isCompatibleRequestHandler = !isH2(requestHandler);
 
@@ -164,7 +169,11 @@ export const getDefaultRoleAssumerWithWebIdentity = (
       const resolvedRegion = await resolveRegion(
         region,
         stsOptions?.parentClientConfig?.region,
-        credentialProviderLogger
+        credentialProviderLogger,
+        {
+          logger,
+          profile,
+        }
       );
       const isCompatibleRequestHandler = !isH2(requestHandler);
 

codegen/smithy-aws-typescript-codegen/src/main/resources/software/amazon/smithy/aws/typescript/codegen/sts-client-defaultStsRoleAssumers.ts

@@ -1,4 +1,5 @@
 import { setCredentialFeature } from "@aws-sdk/core/client";
+import { stsRegionDefaultResolver } from "@aws-sdk/region-config-resolver";
 import type { CredentialProviderOptions } from "@aws-sdk/types";
 import { AwsCredentialIdentity, Logger, Provider } from "@smithy/types";
 
@@ -25,8 +26,6 @@ export type RoleAssumer = (
   params: AssumeRoleCommandInput
 ) => Promise<AwsCredentialIdentity>;
 
-const ASSUME_ROLE_DEFAULT_REGION = "us-east-1";
-
 interface AssumedRoleUser {
   /**
    * The ARN of the temporary security credentials that are returned from the AssumeRole action.
@@ -60,19 +59,21 @@ const getAccountIdFromAssumedRoleUser = (assumedRoleUser?: AssumedRoleUser) => {
 const resolveRegion = async (
   _region: string | Provider<string> | undefined,
   _parentRegion: string | Provider<string> | undefined,
-  credentialProviderLogger?: Logger
+  credentialProviderLogger?: Logger,
+  loaderConfig: Parameters<typeof stsRegionDefaultResolver>[0] = {}
 ): Promise<string> => {
   const region: string | undefined = typeof _region === "function" ? await _region() : _region;
   const parentRegion: string | undefined = typeof _parentRegion === "function" ? await _parentRegion() : _parentRegion;
+  const stsDefaultRegion = await stsRegionDefaultResolver(loaderConfig)();
 
   credentialProviderLogger?.debug?.(
     "@aws-sdk/client-sts::resolveRegion",
     "accepting first of:",
-    `${region} (provider)`,
-    `${parentRegion} (parent client)`,
-    `${ASSUME_ROLE_DEFAULT_REGION} (STS default)`
+    `${region} (credential provider clientConfig)`,
+    `${parentRegion} (contextual client)`,
+    `${stsDefaultRegion} (STS default: AWS_REGION, profile region, or us-east-1)`
   );
-  return region ?? parentRegion ?? ASSUME_ROLE_DEFAULT_REGION;
+  return region ?? parentRegion ?? stsDefaultRegion;
 };
 
 /**
@@ -98,7 +99,11 @@ export const getDefaultRoleAssumer = (
       const resolvedRegion = await resolveRegion(
         region,
         stsOptions?.parentClientConfig?.region,
-        credentialProviderLogger
+        credentialProviderLogger,
+        {
+          logger,
+          profile,
+        }
       );
       const isCompatibleRequestHandler = !isH2(requestHandler);
 
@@ -161,7 +166,11 @@ export const getDefaultRoleAssumerWithWebIdentity = (
       const resolvedRegion = await resolveRegion(
         region,
         stsOptions?.parentClientConfig?.region,
-        credentialProviderLogger
+        credentialProviderLogger,
+        {
+          logger,
+          profile,
+        }
       );
       const isCompatibleRequestHandler = !isH2(requestHandler);
 

packages/credential-provider-node/tests/credential-provider-node.integ.spec.ts

@@ -1492,5 +1492,120 @@ describe("credential-provider-node integration test", () => {
       expect(logger.debug).toHaveBeenCalled();
       expect(logger.info).toHaveBeenCalled();
     });
+
+    describe("uses a variant of the default region resolution where us-east-1 is the last resort", async () => {
+      it("no env or profile region", async () => {
+        delete process.env.AWS_REGION;
+        setIniProfileData({
+          assume: {
+            aws_access_key_id: "ASSUME_STATIC_ACCESS_KEY",
+            aws_secret_access_key: "ASSUME_STATIC_SECRET_KEY",
+          },
+          default: {
+            role_arn: "ROLE_ARN",
+            role_session_name: "ROLE_SESSION_NAME",
+            source_profile: "assume",
+          },
+        });
+
+        const provider = defaultProvider({});
+        const credentials = await provider();
+        expect(credentials).toEqual({
+          accessKeyId: "STS_AR_ACCESS_KEY_ID",
+          expiration: new Date(`3000-01-01T00:00:00.000Z`),
+          secretAccessKey: "STS_AR_SECRET_ACCESS_KEY",
+          sessionToken: "STS_AR_SESSION_TOKEN_us-east-1",
+          $source: {
+            CREDENTIALS_PROFILE_SOURCE_PROFILE: "o",
+            CREDENTIALS_STS_ASSUME_ROLE: "i",
+          },
+        });
+      });
+
+      it("env region", async () => {
+        process.env.AWS_REGION = "eu-north-1";
+        setIniProfileData({
+          assume: {
+            aws_access_key_id: "ASSUME_STATIC_ACCESS_KEY",
+            aws_secret_access_key: "ASSUME_STATIC_SECRET_KEY",
+          },
+          default: {
+            role_arn: "ROLE_ARN",
+            role_session_name: "ROLE_SESSION_NAME",
+            source_profile: "assume",
+          },
+        });
+
+        const provider = defaultProvider({});
+        const credentials = await provider();
+        expect(credentials).toEqual({
+          accessKeyId: "STS_AR_ACCESS_KEY_ID",
+          expiration: new Date(`3000-01-01T00:00:00.000Z`),
+          secretAccessKey: "STS_AR_SECRET_ACCESS_KEY",
+          sessionToken: "STS_AR_SESSION_TOKEN_eu-north-1",
+          $source: {
+            CREDENTIALS_PROFILE_SOURCE_PROFILE: "o",
+            CREDENTIALS_STS_ASSUME_ROLE: "i",
+          },
+        });
+      });
+
+      it("profile region", async () => {
+        setIniProfileData({
+          assume: {
+            aws_access_key_id: "ASSUME_STATIC_ACCESS_KEY",
+            aws_secret_access_key: "ASSUME_STATIC_SECRET_KEY",
+          },
+          default: {
+            region: "us-west-2",
+            role_arn: "ROLE_ARN",
+            role_session_name: "ROLE_SESSION_NAME",
+            source_profile: "assume",
+          },
+        });
+
+        const provider = defaultProvider({});
+        const credentials = await provider();
+        expect(credentials).toEqual({
+          accessKeyId: "STS_AR_ACCESS_KEY_ID",
+          expiration: new Date(`3000-01-01T00:00:00.000Z`),
+          secretAccessKey: "STS_AR_SECRET_ACCESS_KEY",
+          sessionToken: "STS_AR_SESSION_TOKEN_us-west-2",
+          $source: {
+            CREDENTIALS_PROFILE_SOURCE_PROFILE: "o",
+            CREDENTIALS_STS_ASSUME_ROLE: "i",
+          },
+        });
+      });
+
+      it("profile and env region conflict, it uses config region because credentials are fromIni", async () => {
+        process.env.AWS_REGION = "eu-north-1";
+        setIniProfileData({
+          assume: {
+            aws_access_key_id: "ASSUME_STATIC_ACCESS_KEY",
+            aws_secret_access_key: "ASSUME_STATIC_SECRET_KEY",
+          },
+          default: {
+            region: "us-west-2",
+            role_arn: "ROLE_ARN",
+            role_session_name: "ROLE_SESSION_NAME",
+            source_profile: "assume",
+          },
+        });
+
+        const provider = defaultProvider({});
+        const credentials = await provider();
+        expect(credentials).toEqual({
+          accessKeyId: "STS_AR_ACCESS_KEY_ID",
+          expiration: new Date(`3000-01-01T00:00:00.000Z`),
+          secretAccessKey: "STS_AR_SECRET_ACCESS_KEY",
+          sessionToken: "STS_AR_SESSION_TOKEN_us-west-2",
+          $source: {
+            CREDENTIALS_PROFILE_SOURCE_PROFILE: "o",
+            CREDENTIALS_STS_ASSUME_ROLE: "i",
+          },
+        });
+      });
+    });
   });
 });

packages/nested-clients/src/submodules/sts/defaultStsRoleAssumers.ts

@@ -2,6 +2,7 @@
 // Please do not touch this file. It's generated from template in:
 // https://github.com/aws/aws-sdk-js-v3/blob/main/codegen/smithy-aws-typescript-codegen/src/main/resources/software/amazon/smithy/aws/typescript/codegen/sts-client-defaultStsRoleAssumers.ts
 import { setCredentialFeature } from "@aws-sdk/core/client";
+import { stsRegionDefaultResolver } from "@aws-sdk/region-config-resolver";
 import type { CredentialProviderOptions } from "@aws-sdk/types";
 import { AwsCredentialIdentity, Logger, Provider } from "@smithy/types";
 
@@ -28,8 +29,6 @@ export type RoleAssumer = (
   params: AssumeRoleCommandInput
 ) => Promise<AwsCredentialIdentity>;
 
-const ASSUME_ROLE_DEFAULT_REGION = "us-east-1";
-
 interface AssumedRoleUser {
   /**
    * The ARN of the temporary security credentials that are returned from the AssumeRole action.
@@ -63,19 +62,21 @@ const getAccountIdFromAssumedRoleUser = (assumedRoleUser?: AssumedRoleUser) => {
 const resolveRegion = async (
   _region: string | Provider<string> | undefined,
   _parentRegion: string | Provider<string> | undefined,
-  credentialProviderLogger?: Logger
+  credentialProviderLogger?: Logger,
+  loaderConfig: Parameters<typeof stsRegionDefaultResolver>[0] = {}
 ): Promise<string> => {
   const region: string | undefined = typeof _region === "function" ? await _region() : _region;
   const parentRegion: string | undefined = typeof _parentRegion === "function" ? await _parentRegion() : _parentRegion;
+  const stsDefaultRegion = await stsRegionDefaultResolver(loaderConfig)();
 
   credentialProviderLogger?.debug?.(
     "@aws-sdk/client-sts::resolveRegion",
     "accepting first of:",
-    `${region} (provider)`,
-    `${parentRegion} (parent client)`,
-    `${ASSUME_ROLE_DEFAULT_REGION} (STS default)`
+    `${region} (credential provider clientConfig)`,
+    `${parentRegion} (contextual client)`,
+    `${stsDefaultRegion} (STS default: AWS_REGION, profile region, or us-east-1)`
   );
-  return region ?? parentRegion ?? ASSUME_ROLE_DEFAULT_REGION;
+  return region ?? parentRegion ?? stsDefaultRegion;
 };
 
 /**
@@ -101,7 +102,11 @@ export const getDefaultRoleAssumer = (
       const resolvedRegion = await resolveRegion(
         region,
         stsOptions?.parentClientConfig?.region,
-        credentialProviderLogger
+        credentialProviderLogger,
+        {
+          logger,
+          profile,
+        }
       );
       const isCompatibleRequestHandler = !isH2(requestHandler);
 
@@ -164,7 +169,11 @@ export const getDefaultRoleAssumerWithWebIdentity = (
       const resolvedRegion = await resolveRegion(
         region,
         stsOptions?.parentClientConfig?.region,
-        credentialProviderLogger
+        credentialProviderLogger,
+        {
+          logger,
+          profile,
+        }
       );
       const isCompatibleRequestHandler = !isH2(requestHandler);
 

packages/region-config-resolver/package.json

@@ -25,6 +25,7 @@
   "dependencies": {
     "@aws-sdk/types": "*",
     "@smithy/config-resolver": "^4.4.0",
+    "@smithy/node-config-provider": "^4.3.3",
     "@smithy/types": "^4.8.0",
     "tslib": "^2.6.2"
   },
@@ -53,5 +54,9 @@
     "type": "git",
     "url": "https://github.com/aws/aws-sdk-js-v3.git",
     "directory": "packages/region-config-resolver"
-  }
+  },
+  "browser": {
+    "./dist-es/regionConfig/stsRegionDefaultResolver": "./dist-es/regionConfig/stsRegionDefaultResolver.browser"
+  },
+  "react-native": {}
 }

packages/region-config-resolver/src/index.ts

@@ -1,2 +1,3 @@
 export * from "./extensions";
 export * from "./regionConfig/awsRegionConfig";
+export * from "./regionConfig/stsRegionDefaultResolver";

packages/region-config-resolver/src/regionConfig/stsRegionDefaultResolver.browser.ts

@@ -0,0 +1,6 @@
+/**
+ * @internal
+ */
+export function stsRegionDefaultResolver() {
+  return async () => "us-east-1";
+}

packages/region-config-resolver/src/regionConfig/stsRegionDefaultResolver.native.ts

@@ -0,0 +1,6 @@
+/**
+ * @internal
+ */
+export function stsRegionDefaultResolver() {
+  return async () => "us-east-1";
+}

packages/region-config-resolver/src/regionConfig/stsRegionDefaultResolver.spec.ts

@@ -0,0 +1,27 @@
+import { describe, expect, test as it } from "vitest";
+
+import { stsRegionDefaultResolver } from "./stsRegionDefaultResolver";
+import { stsRegionDefaultResolver as browser } from "./stsRegionDefaultResolver.browser";
+import { stsRegionDefaultResolver as native } from "./stsRegionDefaultResolver.native";
+
+describe("stsRegionDefaultResolver", () => {
+  for (const impl of [stsRegionDefaultResolver, native, browser]) {
+    it(`should default to us-east-1`, async () => {
+      delete process.env.AWS_REGION;
+      const regionProvider = impl({
+        profile: "non-existent P R O F I L E",
+      });
+      const region = await regionProvider();
+      expect(region).toBe("us-east-1");
+    });
+  }
+
+  it("should use AWS_REGION before fallback to us-east-1", async () => {
+    process.env.AWS_REGION = "us-west-2";
+    const regionProvider = stsRegionDefaultResolver({
+      profile: "non-existent P R O F I L E",
+    });
+    const region = await regionProvider();
+    expect(region).toBe("us-west-2");
+  });
+});