Backport 1.5.x: Use us-gov-west-1 for global APIs in aws-us-gov #10046

kalafut · 2020-09-26T00:18:46Z

Backport of #9947

Use us-gov-west-1 for global APIs in aws-us-gov

Certain partition-global AWS services, like IAM, seem to require
specific regions. In the regular 'aws' partition, this is us-east-1. In
the 'aws-us-gov' partition, this is us-gov-west-1. Providing
us-gov-east-1 returns an error from AWS:

SignatureDoesNotMatch: Credential should be scoped to a valid region, not 'us-gov-east-1'.

This resolves a problem where AWS authentication could randomly fail
depending on the value cached by Vault at startup.

* Use us-gov-west-1 for global APIs in aws-us-gov Certain partition-global AWS services, like IAM, seem to require specific regions. In the regular 'aws' partition, this is us-east-1. In the 'aws-us-gov' partition, this is us-gov-west-1. Providing us-gov-east-1 returns an error from AWS: SignatureDoesNotMatch: Credential should be scoped to a valid region, not 'us-gov-east-1'. This resolves a problem where AWS authentication could randomly fail depending on the value cached by Vault at startup.

kalafut added this to the 1.5.5 milestone Sep 26, 2020

kalafut requested a review from a team September 26, 2020 00:22

tomhjp approved these changes Sep 28, 2020

View reviewed changes

kalafut merged commit 59b4e67 into release/1.5.x Sep 29, 2020

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Backport 1.5.x: Use us-gov-west-1 for global APIs in aws-us-gov #10046

Backport 1.5.x: Use us-gov-west-1 for global APIs in aws-us-gov #10046

kalafut commented Sep 26, 2020

Backport 1.5.x: Use us-gov-west-1 for global APIs in aws-us-gov #10046

Backport 1.5.x: Use us-gov-west-1 for global APIs in aws-us-gov #10046

Conversation

kalafut commented Sep 26, 2020