-
Notifications
You must be signed in to change notification settings - Fork 634
Description
Checkboxes for prior research
- I've gone through Developer Guide and API reference
- I've checked AWS Forums and StackOverflow.
- I've searched for previous similar issues and didn't find any solution.
Describe the bug
When I call GetCallerIdentityCommand at cn-north-1 the request will be sent to the STS service at us-east-1. China's resources are isolated from global, so obviously this won't work in China.
Regression Issue
- Select this option if this issue appears to be a regression.
SDK version number
@aws-sdk/package-name@version, ...
Which JavaScript Runtime is this issue in?
Node.js
Details of the browser/Node.js/ReactNative version
v18.20.5
Reproduction Steps
credentials file like this
[default]
aws_access_key_id = a'k
aws_secret_access_key = sk
config file like this
[default]
region = cn-north-1
[profile tes_assume]
region = cn-north-1
role_arn = arn:aws-cn:iam::xxx:role/test_assume
The js code is very simple.When I try to execute GetCallerIdentityCommand using profile test_assume I get the error “Error fetching identity: InvalidClientTokenId: The security token included in the request is invalid”
const { STSClient, GetCallerIdentityCommand } = require("@aws-sdk/client-sts");
const { fromIni } = require("@aws-sdk/credential-providers");
async function getRoleIdentity() {
const credentials = fromIni({ profile: "test_assume" });
const stsClient = new STSClient({
credentials,
region: "cn-north-1",
});
try {
const command = new GetCallerIdentityCommand({});
const response = await stsClient.send(command);
console.log("Current Role Identity:");
console.log(`Account: ${response.Account}`);
console.log(`UserId: ${response.UserId}`);
console.log(`ARN: ${response.Arn}`);
} catch (error) {
console.error("Error fetching identity:", error);
}
}
package.json
{
"dependencies": {
"@aws-sdk/client-sts": "^3.699.0",
"@aws-sdk/credential-providers": "^3.699.0"
}
}
I capture tcpdump request during cdk bootstrap command. The output is
[root@ip-172-31-22-83 ec2-user]# tcpdump -n port 443
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on ens5, link-type EN10MB (Ethernet), snapshot length 262144 bytes
07:29:14.889285 IP 172.31.22.83.57130 > 67.220.245.46.https: Flags [S], seq 4148898204, win 62727, options [mss 8961,sackOK,TS val 1119140418 ecr 0,nop,wscale 7], length 0
07:29:15.117433 IP 67.220.245.46.https > 172.31.22.83.57130: Flags [S.], seq 2138776450, ack 4148898205, win 8190, options [mss 1460,nop,wscale 6,nop,nop,sackOK], length 0
07:29:15.117501 IP 172.31.22.83.57130 > 67.220.245.46.https: Flags [.], ack 1, win 491, length 0
07:29:15.118109 IP 172.31.22.83.57130 > 67.220.245.46.https: Flags [P.], seq 1:386, ack 1, win 491, length 385
07:29:15.345920 IP 67.220.245.46.https > 172.31.22.83.57130: Flags [.], ack 1, win 980, length 0
07:29:15.346081 IP 67.220.245.46.https > 172.31.22.83.57130: Flags [.], ack 386, win 974, length 0
07:29:15.346200 IP 67.220.245.46.https > 172.31.22.83.57130: Flags [P.], seq 1:94, ack 386, win 974, length 93
07:29:15.346200 IP 67.220.245.46.https > 172.31.22.83.57130: Flags [P.], seq 94:100, ack 386, win 974, length 6
07:29:15.346234 IP 172.31.22.83.57130 > 67.220.245.46.https: Flags [.], ack 94, win 491, length 0
07:29:15.346243 IP 172.31.22.83.57130 > 67.220.245.46.https: Flags [.], ack 100, win 491, length 0
07:29:15.347120 IP 172.31.22.83.57130 > 67.220.245.46.https: Flags [P.], seq 386:810, ack 100, win 491, length 424
07:29:15.363706 IP 67.220.245.46.https > 172.31.22.83.57130: Flags [P.], seq 94:100, ack 386, win 974, length 6
07:29:15.363745 IP 172.31.22.83.57130 > 67.220.245.46.https: Flags [.], ack 100, win 491, options [nop,nop,sack 1 {94:100}], length 0
07:29:15.575130 IP 67.220.245.46.https > 172.31.22.83.57130: Flags [.], ack 810, win 968, length 0
07:29:15.575278 IP 67.220.245.46.https > 172.31.22.83.57130: Flags [P.], seq 100:260, ack 810, win 968, length 160
07:29:15.575308 IP 172.31.22.83.57130 > 67.220.245.46.https: Flags [.], ack 260, win 490, length 0
07:29:15.575601 IP 67.220.245.46.https > 172.31.22.83.57130: Flags [P.], seq 260:292, ack 810, win 968, length 32
07:29:15.575614 IP 172.31.22.83.57130 > 67.220.245.46.https: Flags [.], ack 292, win 490, length 0
07:29:15.575688 IP 67.220.245.46.https > 172.31.22.83.57130: Flags [P.], seq 292:3212, ack 810, win 968, length 2920
07:29:15.575688 IP 67.220.245.46.https > 172.31.22.83.57130: Flags [P.], seq 3212:5347, ack 810, win 968, length 2135
I capture tcpdump request during cdk bootstrap command. The output is
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
14:18:06.262164 IP 172.31.3.41.43922 > 72.21.206.96.https: Flags [S], seq 1915800606, win 62727, options [mss 8961,sackOK,TS val 3264941276 ecr 0,nop,wscale 7], length 0
14:18:06.494006 IP 72.21.206.96.https > 172.31.3.41.43922: Flags [S.], seq 3188368014, ack 1915800607, win 8190, options [mss 1460,nop,wscale 6,nop,nop,sackOK], length 0
14:18:06.494066 IP 172.31.3.41.43922 > 72.21.206.96.https: Flags [.], ack 1, win 491, length 0
14:18:06.494873 IP 172.31.3.41.43922 > 72.21.206.96.https: Flags [P.], seq 1:382, ack 1, win 491, length 381
14:18:06.726602 IP 72.21.206.96.https > 172.31.3.41.43922: Flags [.], ack 1, win 980, length 0
14:18:06.727233 IP 72.21.206.96.https > 172.31.3.41.43922: Flags [.], ack 382, win 976, length 0
As you can see, the ip address of STS service requested is in us-east-1 region.
Apparently, it could not work in the China region. Please fix this issue, Thanks!
Observed Behavior
[root@ip-172-31-22-83 nodejs]# node test3.js
Error fetching identity: InvalidClientTokenId: The security token included in the request is invalid
at throwDefaultError (/root/nodejs/node_modules/@smithy/smithy-client/dist-cjs/index.js:836:20)
at /root/nodejs/node_modules/@smithy/smithy-client/dist-cjs/index.js:845:5
at de_CommandError (/root/nodejs/node_modules/@aws-sdk/client-sts/dist-cjs/index.js:505:14)
at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
at async /root/nodejs/node_modules/@smithy/middleware-serde/dist-cjs/index.js:35:20
at async /root/nodejs/node_modules/@smithy/core/dist-cjs/index.js:168:18
at async /root/nodejs/node_modules/@smithy/middleware-retry/dist-cjs/index.js:320:38
at async /root/nodejs/node_modules/@aws-sdk/middleware-logger/dist-cjs/index.js:34:22
at async getRoleIdentity (/root/nodejs/test3.js:17:22) {
'$fault': 'client',
'$metadata': {
httpStatusCode: 403,
requestId: '72193656-2308-4e43-b1b1-0b317ce6aaa1',
extendedRequestId: undefined,
cfId: undefined,
attempts: 1,
totalRetryDelay: 0
},
Type: 'Sender',
Code: 'InvalidClientTokenId'
}
Expected Behavior
SDK V3 Using source_profile works fine.
Possible Solution
No response
Additional Information/Context
No response