Pass configured AWS region to STS credential exchange#14652
Pass configured AWS region to STS credential exchange#14652melissa-barca wants to merge 1 commit into
Conversation
The credential chain's STS client defaulted to us-east-1 for the web-identity/assume-role exchange, ignoring the configured region. In a region-restricted VPC where STS PrivateLink only covers the configured region, that call has no route and times out, surfacing as a Bedrock ListFoundationModels failure. Pass the resolved region through the chain's clientConfig so the exchange targets it. Group the per-provider credential helpers (aws, googleVertex, snowflake) under a credentials/ subfolder with a barrel, mirroring validation/.
7c31731 to
2de1163
Compare
|
E2E Tests 🚀 |
PETE's assessment 🧪Verdict: 🟢 Adequate -- The one substantive change (passing the resolved region into the STS What changed
Tests in this PR
Existing coverageThe moved google/snowflake helpers retain their existing suites ( Suggested additionsNone. The new Deployment note (optional)The fix guards a bug that only manifests in a region-restricted VPC (STS PrivateLink), which no PR-time e2e can reasonably reproduce -- the author correctly notes this. The behavior is process-env/config logic with no web ( PETE (Positron Extreme Test Experiment) - LLM-based test-coverage advisor, in pilot. Triggers on PR open and on |
sharon-wang
left a comment
There was a problem hiding this comment.
There's an issue with resolveAwsChainInit for AWS SSO login, otherwise some minor comments!
| import * as vscode from 'vscode'; | ||
| import * as positron from 'positron'; | ||
| import { resolveGoogleVertexCredential } from '../googleVertexResolver'; | ||
| import { resolveGoogleVertexCredential } from '../credentials/googleVertex'; |
There was a problem hiding this comment.
Should this and the equivalent snowflake file import from credentials directly, now that we have the index.ts file exporting everything?
| import { resolveGoogleVertexCredential } from '../credentials/googleVertex'; | |
| import { resolveGoogleVertexCredential } from '../credentials'; |
|
|
||
| const credentialProvider = fromNodeProviderChain(chainInit); | ||
|
|
||
| logger.info( |
There was a problem hiding this comment.
should we move this logging into resolveAwsChainInit? Then we wouldn't need to return region/profile from resolveAwsChainInit either, since it's not directly used here anymore
| const chainInit: ChainInit = { | ||
| ...(profile ? { profile } : {}), | ||
| clientConfig: { region }, | ||
| }; |
There was a problem hiding this comment.
This isn't working for me when my SSO region is different than my AWS profile region, because it overwrites the region I have configured in ~/.aws/config to the same region as the AWS profile.
For example, if my AWS profile region is not configured to something specific, then the region defaults to us-east-1. But if my SSO region is actually us-east-2, chainInit sets the region to us-east-1, which causes the SSO authentication to fail.
This works for me, but I'm not certain about the STS case:
| const chainInit: ChainInit = { | |
| ...(profile ? { profile } : {}), | |
| clientConfig: { region }, | |
| }; | |
| // The region is passed to the STS `clientConfig` only when web identity token | |
| // auth is in use (AWS_WEB_IDENTITY_TOKEN_FILE set), so the STS exchange targets | |
| // the configured region. For SSO profiles, the region is read from sso_region | |
| // in ~/.aws/config and must not be overridden via clientConfig. | |
| const chainInit: ChainInit = { | |
| ...(profile ? { profile } : {}), | |
| ...(env.AWS_WEB_IDENTITY_TOKEN_FILE ? { clientConfig: { region } } : {}), | |
| }; |
Fixes #14546
The auth extension resolved the AWS region but never passed it along, so the AWS SDK always targeted us-east-1 when fetching credentials. It now passes the region through
fromNodeProviderChain'sclientConfig, so the SDK uses it.Also moves the per-provider credential helpers (aws, googleVertex, snowflake) into a
credentials/subfolder.Release Notes
New Features
Bug Fixes
Validation Steps
@:posit-assistant
No e2e coverage: reproducing requires a region-restricted VPC where STS PrivateLink covers only a non-default region. Unit coverage for the region-resolution logic lives in
extensions/authentication/src/test/aws.test.ts.