sts GetCallerIdentity returns result instead of error in in disabled region #2882
Replies: 6 comments 2 replies
-
|
Hi @AmitOttenheimer , We will need a bit more information to fully understand the issue.
Can you link the docs you are referring to? Which region are you making the request to? What do you mean by "disabled region"? By disabled regions you mean the opt-in regions that have not been opted into? If thats the case, I can make a request to an opt-in region and I do indeed get an error: package main
import (
"context"
"fmt"
"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/config"
"github.com/aws/aws-sdk-go-v2/service/sts"
"log"
)
func main() {
cfg, err := config.LoadDefaultConfig(
context.TODO(),
config.WithRegion("ap-southeast-4"),
config.WithDefaultsMode(aws.DefaultsModeInRegion),
config.WithClientLogMode(aws.LogRequestWithBody),
)
if err != nil {
log.Fatalf("unable to load SDK config, %v", err)
}
client := sts.NewFromConfig(cfg)
out, err := client.GetCallerIdentity(context.TODO(), &sts.GetCallerIdentityInput{})
if err != nil {
panic(err)
}
fmt.Print(out)
}
// panic: operation error STS: GetCallerIdentity, https response error StatusCode: 403, RequestID: REDACTED, api error InvalidClientTokenId: The security token included in the request is invalid.Thanks, |
Beta Was this translation helpful? Give feedback.
-
|
Hey @RanVaknin |
Beta Was this translation helpful? Give feedback.
-
|
Hi @AmitOttenheimer , Its not clear which screen on the console are you using to disable us-west-2. For us as maintainers, its not possible to disable core regions: 
But as shown in my previous comment, when making a request to a disabled region I am indeed seeing an error. Thanks, |
Beta Was this translation helpful? Give feedback.
-
|
Hi @RanVaknin Im doing this using the iam console as mentioned in here https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html |
Beta Was this translation helpful? Give feedback.
-
|
Hi @AmitOttenheimer, Thanks for the clarification. From the first doc you initially mentioned:
This specifically pertains to using the SDK without any region configured and is not related to disabled regions. package main
import (
"context"
"fmt"
"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/config"
"github.com/aws/aws-sdk-go-v2/service/sts"
"log"
)
func main() {
cfg, err := config.LoadDefaultConfig(
context.TODO(),
config.WithDefaultsMode(aws.DefaultsModeInRegion),
)
if err != nil {
log.Fatalf("unable to load SDK config, %v", err)
}
client := sts.NewFromConfig(cfg)
out, err := client.GetCallerIdentity(context.TODO(), &sts.GetCallerIdentityInput{})
if err != nil {
panic(err)
}
fmt.Print(out)
}
//panic: operation error STS: GetCallerIdentity, failed to resolve service endpoint, endpoint rule error, Invalid Configuration: Missing RegionIn comparison Go SDK v1 will instead use the global endpoint: package main
import (
"context"
"fmt"
"github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/aws/session"
"github.com/aws/aws-sdk-go/service/sts"
"log"
)
func main() {
sess, err := session.NewSession(&aws.Config{
LogLevel: aws.LogLevel(aws.LogDebugWithHTTPBody),
})
if err != nil {
panic(err)
}
client := sts.New(sess)
out, err := client.GetCallerIdentityWithContext(context.TODO(), &sts.GetCallerIdentityInput{})
if err != nil {
panic(err)
}
fmt.Print(out)
}
// when region is not provided, the legacy v1 SDK would make the request to the global sts endpoint.
/*
---[ REQUEST POST-SIGN ]-----------------------------
POST / HTTP/1.1
Host: sts.amazonaws.com
User-Agent: aws-sdk-go/1.50.9 (go1.23.2; darwin; arm64)
Content-Length: 43
Authorization: REDACTED
Content-Type: application/x-www-form-urlencoded; charset=utf-8
X-Amz-Date: 20241029T174638Z
Accept-Encoding: gzip
*/I hope this clarifies things. Thanks, |
Beta Was this translation helpful? Give feedback.
-
|
Hey @RanVaknin |
Beta Was this translation helpful? Give feedback.
-
|
Hi @AmitOttenheimer , AFAIK there is no public API that exposes this information. I tried looking at what the console is doing, and to render this information about what regions are available, the console is making an RPC call to iamadmin.amazonaws.com which is not a part of the public API : So to answer your question, you cannot do this programmatically through the SDK. |
Beta Was this translation helpful? Give feedback.
-
|
Ok, thank you very much! |
Beta Was this translation helpful? Give feedback.
-
Acknowledgements
go get -u github.com/aws/aws-sdk-go-v2/...)Describe the bug
Hey,
I am using "github.com/aws/aws-sdk-go-v2/service/sts" in order to check if s specific region sts status is disabled or not.
In the docs its mentioned that if a region is disabled the service client fallback behavior should be failure but I am still getting a result instead of an error
Regression Issue
Expected Behavior
Return Error
Current Behavior
Return the Account Data
Reproduction Steps
Possible Solution
No response
Additional Information/Context
No response
AWS Go SDK V2 Module Versions Used
github.com/aws/aws-sdk-go-v2/service/[email protected]
Compiler and Version used
1.23.1
Operating System and version
darwin/arm64
Beta Was this translation helpful? Give feedback.
All reactions