StsWebIdentityCredentialsProvider does not respect aws.endpointUrlSTS system property

[akitnk]

Describe the bug

StsWebIdentityCredentialsProvider does not support properties to configure custom STS endpoint (like aws.endpointUrlSTS and AWS_ENDPOINT_URL_STS). Due to this problem, StsWebIdentityCredentialsProvider cannot access custom STS endpoint even if it is configured using those properties.

I would think the problem exists in the code below:
https://github.com/aws/aws-sdk-java-v2/blob/master/services/sts/src/main/java/software/amazon/awssdk/services/sts/internal/StsWebIdentityCredentialsProviderFactory.java#L118-L132

Looks like this was fixed in aws-sdk-kotlin aws/aws-sdk-kotlin#1210

Regression Issue

• Select this option if this issue appears to be a regression.

Expected Behavior

When setting aws.endpointUrlSTS or AWS_ENDPOINT_URL_STS I expect the SDK to use the specified STS URL for fetching credentials.

Current Behavior

It uses the default AWS URL https://sts.region.amazonaws.com/

Reproduction Steps

1. Set the AWS_ENDPOINT_URL_STS environment variable to a URL that should be called
2. Set AWS_WEB_IDENTITY_TOKEN_FILE to a file containing some JWT
3. Set AWS_ROLE_ARN to any valid role ARN
4. Use SDK to call any service via STS Web Identity Token
5. See that the URL specified above is not used for authentication

Possible Solution

No response

Additional Information/Context

No response

AWS Java SDK version used

2.31.16

JDK version used

17

Operating System and version

Linux

[bhoradc]

Hello @akitnk,

Thanks for reporting the issue. I tried validating (locally) aws.endpointUrlSTS against StsWebIdentityTokenFileCredentialsProvider and few others but I see the property is respected by the SDK.

Here's the code snippet I tried. Let me know in case you see the issue under more sepcific use-case.

StsEndpointTest.java

package org.example;

import software.amazon.awssdk.services.sts.auth.StsWebIdentityTokenFileCredentialsProvider;
import software.amazon.awssdk.services.sts.StsClient;
import software.amazon.awssdk.services.s3.S3Client;

public class StsEndpointTest {
    
    public static void main(String[] args) {
        setupEnvironment();
        testStsEndpointUsage();
    }
    
    private static void setupEnvironment() {
        System.setProperty("aws.webIdentityTokenFile", "/tmp/**/web-identity-token.txt");
        System.setProperty("aws.roleArn", "arn:aws:iam::*****:role/**Role");
        System.setProperty("aws.roleSessionName", "local-test-session");
        System.setProperty("aws.region", "us-east-1");
        System.setProperty("aws.endpointUrlSts", "https://sts.us-west-2.amazonaws.com");
        
        System.out.println("  aws.webIdentityTokenFile = " + System.getProperty("aws.webIdentityTokenFile"));
        System.out.println("  aws.roleArn = " + System.getProperty("aws.roleArn"));
        System.out.println("  aws.roleSessionName = " + System.getProperty("aws.roleSessionName"));
        System.out.println("  aws.region = " + System.getProperty("aws.region"));
        System.out.println("  aws.endpointUrlSts = " + System.getProperty("aws.endpointUrlSts"));
        System.out.println();
    }
    
    private static void testStsEndpointUsage() {
        try {
            System.out.println("Creating StsWebIdentityTokenFileCredentialsProvider...");
            StsWebIdentityTokenFileCredentialsProvider provider =
                StsWebIdentityTokenFileCredentialsProvider.builder()
                    .stsClient(StsClient.create())
                    .build();

            var credentials = provider.resolveCredentials();

            S3Client s3Client = S3Client.builder()
                .credentialsProvider(() -> credentials)
                .build();
            
            var buckets = s3Client.listBuckets();
            System.out.println("S3 bucket size: " + buckets.buckets().size() + " buckets");

        } catch (Exception e) {
            System.out.println("Call failed: " + e.getClass().getSimpleName());
            System.out.println("Error message: " + e.getMessage());
        }
    }
}

Pom.xml

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>
    <groupId>org.example</groupId>
    <artifactId>V2_Endpoint_Url_STS_6252</artifactId>
    <version>1.0-SNAPSHOT</version>
    <properties>
        <maven.compiler.source>17</maven.compiler.source>
        <maven.compiler.target>17</maven.compiler.target>
        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
        <aws.sdk.version>2.32.16</aws.sdk.version>
    </properties>
    <dependencyManagement>
        <dependencies>
            <dependency>
                <groupId>org.apache.logging.log4j</groupId>
                <artifactId>log4j-bom</artifactId>
                <version>2.19.0</version>
                <type>pom</type>
                <scope>import</scope>
            </dependency>
        </dependencies>
    </dependencyManagement>
    <dependencies>
        <dependency>
            <groupId>software.amazon.awssdk</groupId>
            <artifactId>sts</artifactId>
            <version>${aws.sdk.version}</version>
        </dependency>
        <dependency>
            <groupId>software.amazon.awssdk</groupId>
            <artifactId>s3</artifactId>
            <version>${aws.sdk.version}</version>
        </dependency>
        <dependency>
            <groupId>org.apache.logging.log4j</groupId>
            <artifactId>log4j-core</artifactId>
        </dependency>
        <dependency>
            <groupId>org.apache.logging.log4j</groupId>
            <artifactId>log4j-api</artifactId>
        </dependency>
        <dependency>
            <groupId>org.apache.logging.log4j</groupId>
            <artifactId>log4j-slf4j2-impl</artifactId>
        </dependency>
        <dependency>
            <groupId>org.apache.logging.log4j</groupId>
            <artifactId>log4j-1.2-api</artifactId>
        </dependency>
    </dependencies>
    <build>
        <plugins>
            <plugin>
                <groupId>org.codehaus.mojo</groupId>
                <artifactId>exec-maven-plugin</artifactId>
                <version>3.1.0</version>
                <configuration>
                    <mainClass>org.example.StsEndpointTest</mainClass>
                </configuration>
            </plugin>
        </plugins>
    </build>
</project>

Regards,
Chaitanya

[akitnk]

@bhoradc Thank you very much. I noticed the point. We were using aws.endpointUrlSTS for the property and it did not work because we need to specify the correct uppercase and lowercase letters [1]
Confirmed that using aws.endpointUrlSts works. Let me close the issue..

https://github.com/aws/aws-sdk-java-v2/blob/master/core/aws-core/src/main/java/software/amazon/awssdk/awscore/endpoint/AwsClientEndpointProvider.java#L153

[github-actions]

This issue is now closed. Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.