Add support for STS AssumeRole regional endpoints

[dmulter]

I don't think I'm missing it, but I don't see a way to configure boto3/botocore with a regional endpoint for use with sts.assume_role(). I would like to investigate reducing STS latency as described in Activating and Deactivating AWS STS in an AWS Region. It appears the Java SDK provides support, and it seems Python should as well.

[kapilt]

the standard mechanism in boto3 for using a regional endpoint is on client construction (or session) not on individual api call, ie the following should use a regional endpoint for a role assume.

client = boto3.client('sts', region_name='eu-west-1')
client.assume_role(...)

[dmulter]

Yes, I use that technique all the time, but got the impression from the doc I linked that the client region wouldn't override the region endpoint in this case. If you can confirm this is definitely the case, this should be good to close.

[dmulter]

BTW I just confirmed that a deactivated IAM region_name in my boto3.client() call still works. So it looks to me like the endpoint is not controlled by the region_name argument.

[stealthycoin]

You can provide the entire endpoint via the endpoint_url argument. You can also set debug logs via
boto3.set_stream_logger('') which will show all the endpoint at several points in the logs.

[dmulter]

Thank you, I will test and confirm tonight.

[dmulter]

I didn't check the logs, but did a test with:

boto3.client(
    "sts", 
    region_name="us-west-2", 
    endpoint_url="https://sts.us-west-2.amazonaws.com"
)

and it still works with that regional endpoint deactivated in IAM.

[jamesls]

Confirmed that using endpoint_url works as expected for accessing regionalized STS endpoints. We aren't able to change the defaults due to backwards compatibility, but you can use regionalized STS via this:

import boto3

boto3.set_stream_logger('')
sts = boto3.client('sts', region_name='us-west-2',
                   endpoint_url='https://sts.us-west-2.amazonaws.com')
sts.get_session_token()

I get the expected output (in my case I have us-west-2 disabled so I get an error as I expect):

$ python /tmp/t.py
...
2019-02-07 14:35:37,007 botocore.endpoint [DEBUG] Sending http request: <PreparedRequest [POST]>
2019-02-07 14:35:37,008 botocore.vendored.requests.packages.urllib3.connectionpool [INFO] Starting new HTTPS connection (1): sts.us-west-2.amazonaws.com
2019-02-07 14:35:37,168 botocore.vendored.requests.packages.urllib3.connectionpool [DEBUG] "POST / HTTP/1.1" 403 398
2019-02-07 14:35:37,170 botocore.parsers [DEBUG] Response headers: {'x-amzn-requestid': 'b09dd2a6-2b28-11e9-93ea-73f63b81bf1c', 'date': 'Thu, 07 Feb 2019 22:35:36 GMT', 'content-length': '398', 'content-type': 'text/xml'}
2019-02-07 14:35:37,170 botocore.parsers [DEBUG] Response body:
<ErrorResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
  <Error>
    <Type>Sender</Type>
    <Code>RegionDisabledException</Code>
    <Message>STS is not activated in this region for account:288321463274. Your account administrator can activate STS in this region using the IAM Console.</Message>
  </Error>
  <RequestId>b09dd2a6-2b28-11e9-93ea-73f63b81bf1c</RequestId>
</ErrorResponse>

2019-02-07 14:35:37,171 botocore.hooks [DEBUG] Event needs-retry.sts.GetSessionToken: calling handler <botocore.retryhandler.RetryHandler object at 0x101547a10>
2019-02-07 14:35:37,171 botocore.retryhandler [DEBUG] No retry needed.
Traceback (most recent call last):
  File "/tmp/t.py", line 6, in <module>
    sts.get_session_token()
  File "/Users/jamessar/.virtualenvs/boto3/src/botocore/botocore/client.py", line 324, in _api_call
    return self._make_api_call(operation_name, kwargs)
  File "/Users/jamessar/.virtualenvs/boto3/src/botocore/botocore/client.py", line 622, in _make_api_call
    raise error_class(parsed_response, operation_name)
botocore.errorfactory.RegionDisabledException: An error occurred (RegionDisabledException) when calling the GetSessionToken operation: STS is not activated in this region for account:12345. Your account administrator can activate STS in this region using the IAM Console.

[no-response]

This issue has been automatically closed because there has been no response to our request for more information from the original author. With only the information that is currently in the issue, we don't have enough information to take action. Please reach out if you have or find the answers we need so that we can investigate further.

[UlianaStefanishyna]

From https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_sts_vpce.html:

AWS STS recommends that you use both the setRegion and setEndpoint methods to make calls to a Regional endpoint. You can use the setRegion method alone for manually enabled Regions, such as Asia Pacific (Hong Kong). In this case, the calls are directed to the STS Regional endpoint. [...] If you use the setRegion method alone for Regions enabled by default, the calls are directed to the global endpoint of https://sts.amazonaws.com/.

[LeonDong199509]

After specifying endpoint_url like boto3.client(
'sts',
region_name='eu-west-2',
endpoint_url="https://sts.eu-west-2.amazonaws.com"
), it's working well.