bugfix: sts-credential-providers (#3203)

Author: stobrien89

CHANGELOG.md

@@ -36,6 +36,7 @@ class AssumeRoleWithWebIdentityCredentialProvider
 
     /** @var integer */
     private $tokenFileReadAttempts;
+
     /** @var string */
     private $source;
 
@@ -72,15 +73,15 @@ public function __construct(array $config = [])
         $this->tokenFileReadAttempts = 0;
         $this->session = $config['SessionName']
             ?? 'aws-sdk-php-' . round(microtime(true) * 1000);
-        $region = $config['region'] ?? 'us-east-1';
+
         if (isset($config['client'])) {
             $this->client = $config['client'];
         } else {
-            $this->client = new StsClient([
-                'credentials' => false,
-                'region' => $region,
-                'version' => 'latest'
-            ]);
+            $region = $config['region']
+                ?? getEnv(CredentialProvider::ENV_REGION)
+                ?: null;
+
+            $this->client = $this->createDefaultStsClient($region);
         }
 
         $this->source = $config['source']
@@ -167,4 +168,34 @@ public function __invoke()
             );
         });
     }
+
+    /**
+     * @param string|null $region
+     *
+     * @return StsClient
+     */
+    private function createDefaultStsClient(
+        ?string $region
+    ): StsClient
+    {
+        if (empty($region)) {
+            $region = CredentialProvider::FALLBACK_REGION;
+            trigger_error(
+                'NOTICE: STS client created without explicit `region` configuration.' . PHP_EOL
+                . "Defaulting to {$region}. This fallback behavior may be removed." . PHP_EOL
+                . 'To avoid potential disruptions, configure a region using one of the following methods:' . PHP_EOL
+                . '(1) Pass `region` in the `$config` array when calling the provider,' . PHP_EOL
+                . '(2) Set the `AWS_REGION` environment variable.' . PHP_EOL
+                . 'OR provide an STS client in the `$config` array when creating the provider as `client`.' . PHP_EOL
+                . 'See: https://docs.aws.amazon.com/sdk-for-php/v3/developer-guide/assume-role-with-web-identity-provider.html'
+                . PHP_EOL,
+                E_USER_NOTICE
+            );
+        }
+
+        return new StsClient([
+            'credentials' => false,
+            'region' => $region
+        ]);
+    }
 }

src/Credentials/AssumeRoleWithWebIdentityCredentialProvider.php

@@ -52,6 +52,8 @@ class CredentialProvider
     const ENV_SESSION = 'AWS_SESSION_TOKEN';
     const ENV_TOKEN_FILE = 'AWS_WEB_IDENTITY_TOKEN_FILE';
     const ENV_SHARED_CREDENTIALS_FILE = 'AWS_SHARED_CREDENTIALS_FILE';
+    public const ENV_REGION = 'AWS_REGION';
+    public const FALLBACK_REGION = 'us-east-1';
     public const REFRESH_WINDOW = 60;
 
     /**
@@ -102,7 +104,7 @@ public static function defaultProvider(array $config = [])
                 $config
             );
             $defaultChain['process_credentials'] = self::process();
-            $defaultChain['ini'] = self::ini();
+            $defaultChain['ini'] = self::ini(null, null, $config);
             $defaultChain['process_config'] = self::process(
                 'profile ' . $profileName,
                 self::getHomeDir() . '/.aws/config'
@@ -708,9 +710,6 @@ private static function loadRoleProfile(
         }
 
         if (empty($stsClient)) {
-            $sourceRegion = isset($profiles[$sourceProfileName]['region'])
-                ? $profiles[$sourceProfileName]['region']
-                : 'us-east-1';
             $config['preferStaticCredentials'] = true;
             $sourceCredentials = null;
             if (!empty($roleProfile['source_profile'])){
@@ -723,11 +722,13 @@ private static function loadRoleProfile(
                     $filename
                 );
             }
-            $stsClient = new StsClient([
-                'credentials' => $sourceCredentials,
-                'region' => $sourceRegion,
-                'version' => '2011-06-15',
-            ]);
+
+            $region = $profiles[$sourceProfileName]['region']
+                ?? $config['region']
+                ?? getEnv(self::ENV_REGION)
+                ?: null;
+
+            $stsClient = self::createDefaultStsClient($sourceCredentials, $region);
         }
 
         $result = $stsClient->assumeRole([
@@ -1026,5 +1027,37 @@ private static function getCredentialsFromSsoService($ssoProfile, $clientRegion,
         $ssoCredentials = $ssoResponse['roleCredentials'];
         return $ssoCredentials;
     }
+
+    /**
+     * @param CredentialsInterface $credentials
+     * @param string|null $region
+     *
+     * @return StsClient
+     */
+    private static function createDefaultStsClient(
+        CredentialsInterface $credentials,
+        ?string $region
+    ): StsClient
+    {
+        if (empty($region)) {
+            $region = self::FALLBACK_REGION;
+            trigger_error(
+                'NOTICE: STS client created without explicit `region` configuration.' . PHP_EOL
+                . "Defaulting to `{$region}`. This fallback behavior may be removed." . PHP_EOL
+                . 'To avoid potential disruptions, configure a `region` using one of the following methods:' . PHP_EOL
+                . '(1) Add `region` to your source profile in ~/.aws/credentials,' . PHP_EOL
+                . '(2) Pass `region` in the `$config` array when calling the provider,' . PHP_EOL
+                . '(3) Set the `AWS_REGION` environment variable.' . PHP_EOL
+                . 'See: https://docs.aws.amazon.com/sdk-for-php/v3/developer-guide/guide_credentials_assume_role.html#assume-role-with-profile'
+                . PHP_EOL,
+                E_USER_NOTICE
+            );
+        }
+
+        return new StsClient([
+            'credentials' => $credentials,
+            'region' => $region
+        ]);
+    }
 }
 

src/Credentials/CredentialProvider.php

@@ -833,7 +833,7 @@
  */
 class Sdk
 {
-    const VERSION = '3.357.3';
+    const VERSION = '3.358.0';
 
     /** @var array Arguments for creating clients */
     private $args;

src/Sdk.php

@@ -6,6 +6,7 @@
 use Aws\Credentials\AssumeRoleWithWebIdentityCredentialProvider;
 use Aws\Credentials\Credentials;
 use Aws\Exception\AwsException;
+use Aws\Middleware;
 use Aws\Result;
 use Aws\Sts\StsClient;
 use Aws\Sts\Exception\StsException;
@@ -153,6 +154,7 @@ public function testThrowsExceptionWhenReadingTokenFileFails()
         $this->expectException(\Aws\Exception\CredentialsException::class);
         $args['RoleArn'] = self::SAMPLE_ROLE_ARN;
         $args['WebIdentityTokenFile'] = '/foo';
+        $args['region'] = 'us-east-1';
         $provider = new AssumeRoleWithWebIdentityCredentialProvider($args);
         $provider()->wait();
     }
@@ -163,6 +165,7 @@ public function testThrowsExceptionWhenEmptyTokenFile()
         $tokenPath = $dir . '/emptyTokenFile';
         $args['WebIdentityTokenFile'] = $tokenPath;
         $args['RoleArn'] = self::SAMPLE_ROLE_ARN;
+        $args['region'] = 'us-east-1';
         file_put_contents($tokenPath, '');
 
         try {
@@ -396,4 +399,167 @@ public function testCanDisableInvalidIdentityTokenRetries()
             unlink($tokenPath);
         }
     }
+
+    /**
+     * Tests region precedence: config > env var > fallback
+     * @dataProvider regionPrecedenceProvider
+     */
+    public function testRegionPrecedence(
+        ?string $configRegion,
+        ?string $envRegion,
+        string $expectedRegion,
+        bool $expectNotice
+    ): void
+    {
+        $originalRegion = getenv('AWS_REGION');
+
+        if ($envRegion !== null) {
+            putenv("AWS_REGION={$envRegion}");
+        } else {
+            putenv("AWS_REGION");
+        }
+
+        $tokenFile = tempnam(sys_get_temp_dir(), 'token');
+        file_put_contents($tokenFile, 'test-token-content');
+
+        try {
+            $config = [
+                'RoleArn' => self::SAMPLE_ROLE_ARN,
+                'WebIdentityTokenFile' => $tokenFile,
+            ];
+
+            if ($configRegion !== null) {
+                $config['region'] = $configRegion;
+            }
+
+            if ($expectNotice) {
+                $this->expectNotice();
+                $this->expectNoticeMessage(
+                    'NOTICE: STS client created without explicit `region` configuration.'
+                );
+            }
+
+            $provider = new AssumeRoleWithWebIdentityCredentialProvider($config);
+
+            // Check region
+            $reflection = new \ReflectionClass($provider);
+            $clientProperty = $reflection->getProperty('client');
+            $stsClient = $clientProperty->getValue($provider);
+
+            $this->assertEquals($expectedRegion, $stsClient->getRegion());
+        } finally {
+            // Cleanup
+            unlink($tokenFile);
+
+            // Restore original AWS_REGION value
+            if ($originalRegion !== false) {
+                putenv("AWS_REGION={$originalRegion}");
+            } else {
+                putenv("AWS_REGION");
+            }
+        }
+    }
+
+    public function regionPrecedenceProvider(): array
+    {
+        return [
+            'config overrides env' => ['us-west-2', 'eu-west-1', 'us-west-2', false],
+            'env used when no config' => [null, 'eu-west-1', 'eu-west-1', false],
+            'fallback when neither' => [null, null, 'us-east-1', true],
+            'empty string uses fallback' => ['', null, 'us-east-1', true],
+        ];
+    }
+
+    /**
+     * Tests that correct endpoints are called
+     * @dataProvider endpointProvider
+     */
+    public function testEndpointSelection(
+        string $region,
+        string $expectedEndpoint
+    ): void
+    {
+        $tokenFile = tempnam(sys_get_temp_dir(), 'token');
+        file_put_contents($tokenFile, 'test-token-content');
+
+        $config = [
+            'RoleArn' => self::SAMPLE_ROLE_ARN,
+            'WebIdentityTokenFile' => $tokenFile,
+            'region' => $region
+        ];
+
+        $provider = new AssumeRoleWithWebIdentityCredentialProvider($config);
+
+        // Get the client via reflection
+        $reflection = new \ReflectionClass($provider);
+        $clientProperty = $reflection->getProperty('client');
+        $stsClient = $clientProperty->getValue($provider);
+
+        // Set up middleware to capture the endpoint
+        $capturedEndpoint = null;
+        $stsClient->getHandlerList()->appendBuild(
+            Middleware::tap(
+                function ($cmd, $req) use (&$capturedEndpoint) {
+                    $capturedEndpoint = (string) $req->getUri();
+                }
+            )
+        );
+
+        // Mock the STS response
+        $stsClient->getHandlerList()->setHandler(
+            function ($c, $r) {
+                $result = [
+                    'Credentials' => [
+                        'AccessKeyId'     => 'foo',
+                        'SecretAccessKey' => 'bar',
+                        'SessionToken'    => 'baz',
+                        'Expiration'      => DateTimeResult::fromEpoch(time() + 10)
+                    ],
+                    'AssumedRoleUser' => [
+                        'AssumedRoleId' => 'ARXXXXXXXXXXXXXXXXXXX:test_session',
+                        'Arn' => self::SAMPLE_ROLE_ARN . "/test_session"
+                    ]
+                ];
+                return Promise\Create::promiseFor(new Result($result));
+            }
+        );
+
+        try {
+            $provider()->wait();
+
+            $this->assertEquals(
+                $expectedEndpoint,
+                $capturedEndpoint,
+                "Failed asserting endpoint for region: {$region}"
+            );
+        } finally {
+            unlink($tokenFile);
+        }
+    }
+
+    public function endpointProvider(): array
+    {
+        return [
+            'us-east-1' => [
+                'region' => 'us-east-1',
+                'expectedEndpoint' => 'https://sts.us-east-1.amazonaws.com/'
+            ],
+            'us-west-2' => [
+                'region' => 'us-west-2',
+                'expectedEndpoint' => 'https://sts.us-west-2.amazonaws.com/'
+            ],
+            'eu-west-1' => [
+                'region' => 'eu-west-1',
+                'expectedEndpoint' => 'https://sts.eu-west-1.amazonaws.com/'
+            ],
+            'ap-southeast-1' => [
+                'region' => 'ap-southeast-1',
+                'expectedEndpoint' => 'https://sts.ap-southeast-1.amazonaws.com/'
+            ],
+            'sa-east-1' => [
+                'region' => 'sa-east-1',
+                'expectedEndpoint' => 'https://sts.sa-east-1.amazonaws.com/'
+            ]
+        ];
+    }
 }

tests/Credentials/AssumeRoleWithWebIdentityCredentialProviderTest.php

@@ -12,6 +12,7 @@
 use Aws\LruArrayCache;
 use Aws\Result;
 use Aws\SSO\SSOClient;
+use Aws\Sts\Exception\StsException;
 use Aws\Sts\StsClient;
 use Aws\Token\SsoTokenProvider;
 use Aws\Test\UsesServiceTrait;
@@ -688,6 +689,27 @@ public function testCreatesFromRoleArn(): void
         $this->assertFalse($creds->isExpired());
     }
 
+    public function testCreatesFromRoleArnEmitsNoticeOnFallbackRegion(): void
+    {
+        $this->expectNotice();
+        $this->expectNoticeMessage(
+            'NOTICE: STS client created without explicit `region` configuration'
+        );
+
+        $awsDir = $this->createAwsHome();
+        $ini = <<<EOT
+[default]
+aws_access_key_id = foo
+aws_secret_access_key = defaultSecret
+[assume]
+role_arn = arn:aws:iam::012345678910:role/role_name
+source_profile = default
+role_session_name = foobar
+EOT;
+        file_put_contents($awsDir . '/credentials', $ini);
+        call_user_func(CredentialProvider::ini('assume', null))->wait();
+    }
+
     public function testCreatesFromRoleArnCatchesCircular(): void
     {
         $this->expectExceptionMessage("Circular source_profile reference found.");