Skip to content

This issue was moved to a discussion.

You can continue the conversation there. Go to discussion →

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

sts GetCallerIdentity returns result instead of error in in disabled region #2846

Closed
2 of 3 tasks
AmitOttenheimer opened this issue Oct 22, 2024 · 6 comments
Closed
2 of 3 tasks

sts GetCallerIdentity returns result instead of error in in disabled region #2846

AmitOttenheimer opened this issue Oct 22, 2024 · 6 comments
Assignees
@RanVaknin
Labels
guidance Question that needs advice or information. p3 This is a minor priority issue

Comments

@AmitOttenheimer
Copy link

AmitOttenheimer commented Oct 22, 2024
edited by RanVaknin
Loading

Acknowledgements

Describe the bug

Hey,
I am using "github.com/aws/aws-sdk-go-v2/service/sts" in order to check if s specific region sts status is disabled or not.
In the docs its mentioned that if a region is disabled the service client fallback behavior should be failure but I am still getting a result instead of an error

Regression Issue

  • Select this option if this issue appears to be a regression.

Expected Behavior

Return Error

Current Behavior

Return the Account Data

Reproduction Steps

tempConfig equals *aws.Config with our account information 
tempConfig.Region = region
tempConfig.DefaultsMode = awsV2.DefaultsModeInRegion
stsClient := ClientCreator.CreateSTSClient(ctx, &tempConfig)
res, err := stsClient.GetCallerIdentity(ctx, &stsV2.GetCallerIdentityInput{})

Possible Solution

No response

Additional Information/Context

No response

AWS Go SDK V2 Module Versions Used

github.com/aws/aws-sdk-go-v2/service/[email protected]

Compiler and Version used

1.23.1

Operating System and version

darwin/arm64
@AmitOttenheimer AmitOttenheimer added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Oct 22, 2024
@RanVaknin RanVaknin self-assigned this Oct 23, 2024
@RanVaknin
Copy link
Contributor

Hi @AmitOttenheimer ,

We will need a bit more information to fully understand the issue.

In the docs its mentioned that if a region is disabled the service client fallback behavior should be failure but I am still getting a result instead of an error

Can you link the docs you are referring to? Which region are you making the request to? What do you mean by "disabled region"? By disabled regions you mean the opt-in regions that have not been opted into? If thats the case, I can make a request to an opt-in region and I do indeed get an error:

package main

import (
	"context"
	"fmt"
	"github.com/aws/aws-sdk-go-v2/aws"
	"github.com/aws/aws-sdk-go-v2/config"
	"github.com/aws/aws-sdk-go-v2/service/sts"
	"log"
)

func main() {
	cfg, err := config.LoadDefaultConfig(
		context.TODO(),
		config.WithRegion("ap-southeast-4"),
		config.WithDefaultsMode(aws.DefaultsModeInRegion),
		config.WithClientLogMode(aws.LogRequestWithBody),
	)
	if err != nil {
		log.Fatalf("unable to load SDK config, %v", err)
	}

	client := sts.NewFromConfig(cfg)

	out, err := client.GetCallerIdentity(context.TODO(), &sts.GetCallerIdentityInput{})

	if err != nil {
		panic(err)
	}

	fmt.Print(out)
}

// panic: operation error STS: GetCallerIdentity, https response error StatusCode: 403, RequestID: REDACTED, api error InvalidClientTokenId: The security token included in the request is invalid.

Thanks,
Ran~

@RanVaknin RanVaknin added response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. p3 This is a minor priority issue and removed needs-triage This issue or PR still needs to be triaged. labels Oct 23, 2024
@AmitOttenheimer
Copy link
Author

Hey @RanVaknin
I am referring to https://docs.aws.amazon.com/sdkref/latest/guide/feature-sts-regionalized-endpoints.html
I meant that the region is disabled in aws web console
image
The region i have disabled is us-west-2.
I am using the same configuration setting as described here:
config.WithRegion("us-west-2"),
config.WithDefaultsMode(aws.DefaultsModeInRegion),
config.WithClientLogMode(aws.LogRequestWithBody),

@github-actions github-actions bot removed the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Oct 28, 2024
@RanVaknin
Copy link
Contributor

Hi @AmitOttenheimer ,

Its not clear which screen on the console are you using to disable us-west-2. For us as maintainers, its not possible to disable core regions:

image

But as shown in my previous comment, when making a request to a disabled region I am indeed seeing an error.
How did you disable that region? Is it through the billing and cost management page in the AWS console? What is the result you are getting back?

Thanks,
Ran~

@RanVaknin RanVaknin added the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Oct 28, 2024
@AmitOttenheimer
Copy link
Author

Hi @RanVaknin Im doing this using the iam console as mentioned in here https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html
The result i am getting is a valid sts.GetCallerIdentityOutput with error equal to nil

@RanVaknin
Copy link
Contributor

RanVaknin commented Oct 29, 2024
edited
Loading

Hi @AmitOttenheimer,

Thanks for the clarification. From the first doc you initially mentioned:

Service client fallback behavior: What the SDK does when it is supposed to use a Regional endpoint but no Region has been configured. This is the behavior regardless of if it is using a Regional endpoint because of a default or because regional has been selected by the setting.

This specifically pertains to using the SDK without any region configured and is not related to disabled regions.
For example:

package main

import (
	"context"
	"fmt"
	"github.com/aws/aws-sdk-go-v2/aws"
	"github.com/aws/aws-sdk-go-v2/config"
	"github.com/aws/aws-sdk-go-v2/service/sts"
	"log"
)

func main() {
	cfg, err := config.LoadDefaultConfig(
		context.TODO(),
		config.WithDefaultsMode(aws.DefaultsModeInRegion),
	)
	if err != nil {
		log.Fatalf("unable to load SDK config, %v", err)
	}

	client := sts.NewFromConfig(cfg)

	out, err := client.GetCallerIdentity(context.TODO(), &sts.GetCallerIdentityInput{})

	if err != nil {
		panic(err)
	}

	fmt.Print(out)
}

//panic: operation error STS: GetCallerIdentity, failed to resolve service endpoint, endpoint rule error, Invalid Configuration: Missing Region

In comparison Go SDK v1 will instead use the global endpoint:

package main

import (
	"context"
	"fmt"
	"github.com/aws/aws-sdk-go/aws"
	"github.com/aws/aws-sdk-go/aws/session"
	"github.com/aws/aws-sdk-go/service/sts"

	"log"
)

func main() {
	sess, err := session.NewSession(&aws.Config{
		LogLevel: aws.LogLevel(aws.LogDebugWithHTTPBody),
	})
	if err != nil {
		panic(err)
	}

	client := sts.New(sess)

	out, err := client.GetCallerIdentityWithContext(context.TODO(), &sts.GetCallerIdentityInput{})

	if err != nil {
		panic(err)
	}

	fmt.Print(out)
}

// when region is not provided, the legacy v1 SDK would make the request to the global sts endpoint.
/*
---[ REQUEST POST-SIGN ]-----------------------------
POST / HTTP/1.1
Host: sts.amazonaws.com
User-Agent: aws-sdk-go/1.50.9 (go1.23.2; darwin; arm64)
Content-Length: 43
Authorization: REDACTED
Content-Type: application/x-www-form-urlencoded; charset=utf-8
X-Amz-Date: 20241029T174638Z
Accept-Encoding: gzip

*/

I hope this clarifies things.

Thanks,
Ran~

@RanVaknin RanVaknin added guidance Question that needs advice or information. response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. and removed response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. bug This issue is a bug. labels Oct 29, 2024
@AmitOttenheimer
Copy link
Author

Hey @RanVaknin
Thank you very much for the answer!
How can I can using the go sdk check if aws sts is active or deactivated in a specific region

@github-actions github-actions bot removed the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Oct 31, 2024
@aws aws locked and limited conversation to collaborators Oct 31, 2024
@RanVaknin RanVaknin converted this issue into discussion #2882 Oct 31, 2024

This issue was moved to a discussion.

You can continue the conversation there. Go to discussion →

Assignees

@RanVaknin RanVaknin

Labels
guidance Question that needs advice or information. p3 This is a minor priority issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@RanVaknin @AmitOttenheimer