Skip to content

Assuming role configured in AWS profile does not work outside of aws partition (China, US Gov Cloud, etc.) #6711

@csy97

Description

@csy97

Checkboxes for prior research

Describe the bug

When I call GetCallerIdentityCommand at cn-north-1 the request will be sent to the STS service at us-east-1. China's resources are isolated from global, so obviously this won't work in China.

Regression Issue

  • Select this option if this issue appears to be a regression.

SDK version number

@aws-sdk/package-name@version, ...

Which JavaScript Runtime is this issue in?

Node.js

Details of the browser/Node.js/ReactNative version

v18.20.5

Reproduction Steps

credentials file like this

[default]
aws_access_key_id = a'k
aws_secret_access_key = sk

config file like this

[default]
region = cn-north-1
[profile tes_assume]
region = cn-north-1
role_arn = arn:aws-cn:iam::xxx:role/test_assume

The js code is very simple.When I try to execute GetCallerIdentityCommand using profile test_assume I get the error “Error fetching identity: InvalidClientTokenId: The security token included in the request is invalid”

const { STSClient, GetCallerIdentityCommand } = require("@aws-sdk/client-sts");
const { fromIni } = require("@aws-sdk/credential-providers");

async function getRoleIdentity() {
  const credentials = fromIni({ profile: "test_assume" });

  const stsClient = new STSClient({
    credentials, 
    region: "cn-north-1", 
  });

  try {
    const command = new GetCallerIdentityCommand({});
    const response = await stsClient.send(command);

    console.log("Current Role Identity:");
    console.log(`Account: ${response.Account}`);
    console.log(`UserId: ${response.UserId}`);
    console.log(`ARN: ${response.Arn}`);
  } catch (error) {
    console.error("Error fetching identity:", error);
  }
}

package.json

{
  "dependencies": {
    "@aws-sdk/client-sts": "^3.699.0",
    "@aws-sdk/credential-providers": "^3.699.0"
  }
}

I capture tcpdump request during cdk bootstrap command. The output is

[root@ip-172-31-22-83 ec2-user]# tcpdump -n port 443
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on ens5, link-type EN10MB (Ethernet), snapshot length 262144 bytes
07:29:14.889285 IP 172.31.22.83.57130 > 67.220.245.46.https: Flags [S], seq 4148898204, win 62727, options [mss 8961,sackOK,TS val 1119140418 ecr 0,nop,wscale 7], length 0
07:29:15.117433 IP 67.220.245.46.https > 172.31.22.83.57130: Flags [S.], seq 2138776450, ack 4148898205, win 8190, options [mss 1460,nop,wscale 6,nop,nop,sackOK], length 0
07:29:15.117501 IP 172.31.22.83.57130 > 67.220.245.46.https: Flags [.], ack 1, win 491, length 0
07:29:15.118109 IP 172.31.22.83.57130 > 67.220.245.46.https: Flags [P.], seq 1:386, ack 1, win 491, length 385
07:29:15.345920 IP 67.220.245.46.https > 172.31.22.83.57130: Flags [.], ack 1, win 980, length 0
07:29:15.346081 IP 67.220.245.46.https > 172.31.22.83.57130: Flags [.], ack 386, win 974, length 0
07:29:15.346200 IP 67.220.245.46.https > 172.31.22.83.57130: Flags [P.], seq 1:94, ack 386, win 974, length 93
07:29:15.346200 IP 67.220.245.46.https > 172.31.22.83.57130: Flags [P.], seq 94:100, ack 386, win 974, length 6
07:29:15.346234 IP 172.31.22.83.57130 > 67.220.245.46.https: Flags [.], ack 94, win 491, length 0
07:29:15.346243 IP 172.31.22.83.57130 > 67.220.245.46.https: Flags [.], ack 100, win 491, length 0
07:29:15.347120 IP 172.31.22.83.57130 > 67.220.245.46.https: Flags [P.], seq 386:810, ack 100, win 491, length 424
07:29:15.363706 IP 67.220.245.46.https > 172.31.22.83.57130: Flags [P.], seq 94:100, ack 386, win 974, length 6
07:29:15.363745 IP 172.31.22.83.57130 > 67.220.245.46.https: Flags [.], ack 100, win 491, options [nop,nop,sack 1 {94:100}], length 0
07:29:15.575130 IP 67.220.245.46.https > 172.31.22.83.57130: Flags [.], ack 810, win 968, length 0
07:29:15.575278 IP 67.220.245.46.https > 172.31.22.83.57130: Flags [P.], seq 100:260, ack 810, win 968, length 160
07:29:15.575308 IP 172.31.22.83.57130 > 67.220.245.46.https: Flags [.], ack 260, win 490, length 0
07:29:15.575601 IP 67.220.245.46.https > 172.31.22.83.57130: Flags [P.], seq 260:292, ack 810, win 968, length 32
07:29:15.575614 IP 172.31.22.83.57130 > 67.220.245.46.https: Flags [.], ack 292, win 490, length 0
07:29:15.575688 IP 67.220.245.46.https > 172.31.22.83.57130: Flags [P.], seq 292:3212, ack 810, win 968, length 2920
07:29:15.575688 IP 67.220.245.46.https > 172.31.22.83.57130: Flags [P.], seq 3212:5347, ack 810, win 968, length 2135

I capture tcpdump request during cdk bootstrap command. The output is

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
14:18:06.262164 IP 172.31.3.41.43922 > 72.21.206.96.https: Flags [S], seq 1915800606, win 62727, options [mss 8961,sackOK,TS val 3264941276 ecr 0,nop,wscale 7], length 0
14:18:06.494006 IP 72.21.206.96.https > 172.31.3.41.43922: Flags [S.], seq 3188368014, ack 1915800607, win 8190, options [mss 1460,nop,wscale 6,nop,nop,sackOK], length 0
14:18:06.494066 IP 172.31.3.41.43922 > 72.21.206.96.https: Flags [.], ack 1, win 491, length 0
14:18:06.494873 IP 172.31.3.41.43922 > 72.21.206.96.https: Flags [P.], seq 1:382, ack 1, win 491, length 381
14:18:06.726602 IP 72.21.206.96.https > 172.31.3.41.43922: Flags [.], ack 1, win 980, length 0
14:18:06.727233 IP 72.21.206.96.https > 172.31.3.41.43922: Flags [.], ack 382, win 976, length 0

As you can see, the ip address of STS service requested is in us-east-1 region.

Apparently, it could not work in the China region. Please fix this issue, Thanks!

Observed Behavior

[root@ip-172-31-22-83 nodejs]# node test3.js
Error fetching identity: InvalidClientTokenId: The security token included in the request is invalid
    at throwDefaultError (/root/nodejs/node_modules/@smithy/smithy-client/dist-cjs/index.js:836:20)
    at /root/nodejs/node_modules/@smithy/smithy-client/dist-cjs/index.js:845:5
    at de_CommandError (/root/nodejs/node_modules/@aws-sdk/client-sts/dist-cjs/index.js:505:14)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async /root/nodejs/node_modules/@smithy/middleware-serde/dist-cjs/index.js:35:20
    at async /root/nodejs/node_modules/@smithy/core/dist-cjs/index.js:168:18
    at async /root/nodejs/node_modules/@smithy/middleware-retry/dist-cjs/index.js:320:38
    at async /root/nodejs/node_modules/@aws-sdk/middleware-logger/dist-cjs/index.js:34:22
    at async getRoleIdentity (/root/nodejs/test3.js:17:22) {
  '$fault': 'client',
  '$metadata': {
    httpStatusCode: 403,
    requestId: '72193656-2308-4e43-b1b1-0b317ce6aaa1',
    extendedRequestId: undefined,
    cfId: undefined,
    attempts: 1,
    totalRetryDelay: 0
  },
  Type: 'Sender',
  Code: 'InvalidClientTokenId'
}

Expected Behavior

SDK V3 Using source_profile works fine.

Possible Solution

No response

Additional Information/Context

No response

Metadata

Metadata

Assignees

Labels

bugThis issue is a bug.p2This is a standard priority issue

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions