Issues Calamari - AWS Assume Role uses Global STS endpoint - Error Assuming Role in Opt-in Regions

Calamari - AWS Assume Role uses Global STS endpoint - Error Assuming Role in Opt-in Regions

Open FinnianDempsey opened this issue 9 months ago • 0 comments

Severity

not blocking, workaround exists

Version

2025.1.5569

Latest Version

I could reproduce the problem in the latest build

What happened?

When using an AWS Step template to assume another role, e.g. using an EC2 instance profile to assume another role, and an opt-in region is specified such as ap-southeast-4 then an error will be shown indicating that AWS was unable to validate the credentials.

Reproduction

Configure an EC2 VM with an Instance Profile that allows it to assume another role, as an external Worker in Octopus
Configure an AWS CLI script step to assume that role and request resources from an opt-in region e.g. ap-southeast-4

See error

Error and Stacktrace

An error occurred (AuthFailure) when calling the DescribeInstances operation: AWS was not able to validate the provided access credentials

More Information

Internal Link - Slack

Workaround

The AWS IAM Account settings can be configured to allow the global STS endpoint to accept tokens from all regions, not just those enabled by default:

Jan 17 '25 04:01 FinnianDempsey

Issues Issues copied to clipboard

Calamari - AWS Assume Role uses Global STS endpoint - Error Assuming Role in Opt-in Regions

Severity

Version

Latest Version

What happened?

Reproduction

Error and Stacktrace

More Information

Workaround

Issues
Issues copied to clipboard