fixed sts endpoint (#997)

* fixed sts endpoint

* fixed assume role plugin for sts regional endpoints

Co-authored-by: hickeydh-aws <hickeydh@amazon.com>
Co-authored-by: Brian969 <56414362+Brian969@users.noreply.github.com>

Author: hickeydh-aws

src/deployments/cdk/toolkit.ts

@@ -31,10 +31,6 @@ import { promises as fsp } from 'fs';
 // Set debug logging
 setLogLevel(1);
 
-// Register the assume role plugin
-const assumeRolePlugin = new AssumeProfilePlugin();
-assumeRolePlugin.init(PluginHost.instance);
-
 export interface CdkToolkitProps {
   assemblies: CloudAssembly[];
   configuration: Configuration;
@@ -198,6 +194,9 @@ export class CdkToolkit {
   }
 
   async deployStack(stack: CloudFormationStackArtifact, retries: number = 0): Promise<StackOutput[]> {
+    // Register the assume role plugin
+    const assumeRolePlugin = new AssumeProfilePlugin({ region: stack.environment.region });
+    await assumeRolePlugin.init(PluginHost.instance);
     this.deploymentLog(stack, 'Deploying Stack');
     const stackExists = await this.cloudFormation.stackExists({ stack });
     this.deploymentLog(stack, `Stack Exists: ${stackExists}`);

src/lib/cdk-plugin-assume-role/src/assume-role-plugin.ts

@@ -17,13 +17,14 @@ import { AssumeRoleProviderSource } from './assume-role-provider-source';
 export class AssumeProfilePlugin implements Plugin {
   readonly version = '1';
 
-  constructor(private readonly props: { assumeRoleName?: string; assumeRoleDuration?: number } = {}) {}
+  constructor(private readonly props: { assumeRoleName?: string; assumeRoleDuration?: number; region?: string } = {}) {}
 
   init(host: PluginHost): void {
     const source = new AssumeRoleProviderSource({
       name: 'cdk-assume-role-plugin',
       assumeRoleName: this.props.assumeRoleName ?? AssumeProfilePlugin.getDefaultAssumeRoleName(),
       assumeRoleDuration: this.props.assumeRoleDuration ?? AssumeProfilePlugin.getDefaultAssumeRoleDuration(),
+      region: this.props.region,
     });
     host.registerCredentialProviderSource(source);
   }

src/lib/cdk-plugin-assume-role/src/assume-role-provider-source.ts

@@ -21,6 +21,7 @@ export interface AssumeRoleProviderSourceProps {
   name: string;
   assumeRoleName: string;
   assumeRoleDuration: number;
+  region: string | undefined;
 }
 
 export class AssumeRoleProviderSource implements CredentialProviderSource {
@@ -64,9 +65,13 @@ export class AssumeRoleProviderSource implements CredentialProviderSource {
   protected async assumeRole(accountId: string, duration: number): Promise<aws.STS.AssumeRoleResponse> {
     const roleArn = `arn:aws:iam::${accountId}:role/${this.props.assumeRoleName}`;
     console.log(`Assuming role ${green(roleArn)} for ${duration} seconds`);
-
-    const sts = new aws.STS();
-    return throttlingBackOff(() =>
+    const region = this.props.region;
+    let endpoint;
+    if (region) {
+      endpoint = `sts.${region}.amazonaws.com`;
+    }
+    const sts = new aws.STS({ endpoint, region });
+    const assumeRoleResponse = await throttlingBackOff(() =>
       sts
         .assumeRole({
           RoleArn: roleArn,
@@ -75,5 +80,8 @@ export class AssumeRoleProviderSource implements CredentialProviderSource {
         })
         .promise(),
     );
+
+    console.log(assumeRoleResponse);
+    return assumeRoleResponse;
   }
 }

src/lib/common/src/aws/sts.ts

@@ -14,14 +14,22 @@
 import aws from './aws-client';
 import * as sts from 'aws-sdk/clients/sts';
 import { throttlingBackOff } from './backoff';
-
 export class STS {
   private readonly client: aws.STS;
   private readonly cache: { [roleArn: string]: aws.Credentials } = {};
 
   constructor(credentials?: aws.Credentials) {
+    let region;
+    let endpoint;
+    if (process.env.AWS_REGION) {
+      region = process.env.AWS_REGION;
+      endpoint = `sts.${process.env.AWS_REGION}.amazonaws.com`;
+    }
+
     this.client = new aws.STS({
       credentials,
+      region,
+      endpoint,
     });
   }