Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Add support for STS AssumeRole regional endpoints

See original GitHub issue

I don’t think I’m missing it, but I don’t see a way to configure boto3/botocore with a regional endpoint for use with sts.assume_role(). I would like to investigate reducing STS latency as described in Activating and Deactivating AWS STS in an AWS Region. It appears the Java SDK provides support, and it seems Python should as well.

Issue Analytics

State:
Created 5 years ago
Comments:8 (2 by maintainers)

Top GitHub Comments

1reaction

jameslscommented, Feb 7, 2019

Confirmed that using endpoint_url works as expected for accessing regionalized STS endpoints. We aren’t able to change the defaults due to backwards compatibility, but you can use regionalized STS via this:

import boto3

boto3.set_stream_logger('')
sts = boto3.client('sts', region_name='us-west-2',
                   endpoint_url='https://sts.us-west-2.amazonaws.com')
sts.get_session_token()

I get the expected output (in my case I have us-west-2 disabled so I get an error as I expect):

$ python /tmp/t.py
...
2019-02-07 14:35:37,007 botocore.endpoint [DEBUG] Sending http request: <PreparedRequest [POST]>
2019-02-07 14:35:37,008 botocore.vendored.requests.packages.urllib3.connectionpool [INFO] Starting new HTTPS connection (1): sts.us-west-2.amazonaws.com
2019-02-07 14:35:37,168 botocore.vendored.requests.packages.urllib3.connectionpool [DEBUG] "POST / HTTP/1.1" 403 398
2019-02-07 14:35:37,170 botocore.parsers [DEBUG] Response headers: {'x-amzn-requestid': 'b09dd2a6-2b28-11e9-93ea-73f63b81bf1c', 'date': 'Thu, 07 Feb 2019 22:35:36 GMT', 'content-length': '398', 'content-type': 'text/xml'}
2019-02-07 14:35:37,170 botocore.parsers [DEBUG] Response body:
<ErrorResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
  <Error>
    <Type>Sender</Type>
    <Code>RegionDisabledException</Code>
    <Message>STS is not activated in this region for account:288321463274. Your account administrator can activate STS in this region using the IAM Console.</Message>
  </Error>
  <RequestId>b09dd2a6-2b28-11e9-93ea-73f63b81bf1c</RequestId>
</ErrorResponse>

2019-02-07 14:35:37,171 botocore.hooks [DEBUG] Event needs-retry.sts.GetSessionToken: calling handler <botocore.retryhandler.RetryHandler object at 0x101547a10>
2019-02-07 14:35:37,171 botocore.retryhandler [DEBUG] No retry needed.
Traceback (most recent call last):
  File "/tmp/t.py", line 6, in <module>
    sts.get_session_token()
  File "/Users/jamessar/.virtualenvs/boto3/src/botocore/botocore/client.py", line 324, in _api_call
    return self._make_api_call(operation_name, kwargs)
  File "/Users/jamessar/.virtualenvs/boto3/src/botocore/botocore/client.py", line 622, in _make_api_call
    raise error_class(parsed_response, operation_name)
botocore.errorfactory.RegionDisabledException: An error occurred (RegionDisabledException) when calling the GetSessionToken operation: STS is not activated in this region for account:12345. Your account administrator can activate STS in this region using the IAM Console.

0reactions

no-response[bot]commented, Feb 14, 2019

This issue has been automatically closed because there has been no response to our request for more information from the original author. With only the information that is currently in the issue, we don’t have enough information to take action. Please reach out if you have or find the answers we need so that we can investigate further.