sts endpoint fix for china regions (#1444)

pkg/credentials/iam_aws.go

@@ -27,6 +27,7 @@ import (
 	"net/url"
 	"os"
 	"path"
+	"strings"
 	"time"
 
 	jsoniter "github.com/json-iterator/go"
@@ -82,7 +83,11 @@ func (m *IAM) Retrieve() (Value, error) {
 	case len(os.Getenv("AWS_WEB_IDENTITY_TOKEN_FILE")) > 0:
 		if len(endpoint) == 0 {
 			if len(os.Getenv("AWS_REGION")) > 0 {
-				endpoint = "https://sts." + os.Getenv("AWS_REGION") + ".amazonaws.com"
+				if strings.HasPrefix(os.Getenv("AWS_REGION"), "cn-") {
+					endpoint = "https://sts." + os.Getenv("AWS_REGION") + ".amazonaws.com.cn"
+				} else {
+					endpoint = "https://sts." + os.Getenv("AWS_REGION") + ".amazonaws.com"
+				}
 			} else {
 				endpoint = defaultSTSRoleEndpoint
 			}

pkg/credentials/iam_aws_test.go

@@ -349,3 +349,45 @@ func TestSts(t *testing.T) {
 		t.Error("Expected creds to be expired.")
 	}
 }
+
+func TestStsCn(t *testing.T) {
+	server := initStsTestServer("2014-12-16T01:51:37Z")
+	defer server.Close()
+	p := &IAM{
+		Client:   http.DefaultClient,
+		Endpoint: server.URL,
+	}
+
+	f, err := ioutil.TempFile("", "minio-go")
+	if err != nil {
+		t.Errorf("Unexpected failure %s", err)
+	}
+	defer os.Remove(f.Name())
+	f.Write([]byte("token"))
+	f.Close()
+
+	os.Setenv("AWS_REGION", "cn-northwest-1")
+	os.Setenv("AWS_WEB_IDENTITY_TOKEN_FILE", f.Name())
+	os.Setenv("AWS_ROLE_ARN", "arn:aws:sts::123456789012:assumed-role/FederatedWebIdentityRole/app1")
+	creds, err := p.Retrieve()
+	os.Unsetenv("AWS_WEB_IDENTITY_TOKEN_FILE")
+	os.Unsetenv("AWS_ROLE_ARN")
+	if err != nil {
+		t.Errorf("Unexpected failure %s", err)
+	}
+	if "accessKey" != creds.AccessKeyID {
+		t.Errorf("Expected \"accessKey\", got %s", creds.AccessKeyID)
+	}
+
+	if "secret" != creds.SecretAccessKey {
+		t.Errorf("Expected \"secret\", got %s", creds.SecretAccessKey)
+	}
+
+	if "token" != creds.SessionToken {
+		t.Errorf("Expected \"token\", got %s", creds.SessionToken)
+	}
+
+	if !p.IsExpired() {
+		t.Error("Expected creds to be expired.")
+	}
+}