Versent
saml2aws login generating v1Token instead of v2Token unless explicitly specifed region is ap-east-1
After enabling ap-east-1 and setting GlobalEndpointTokenVersion to 2, the token generated when logging in is still in v1Token format.
Assuming role to access resources in ap-east-1 fails via SDK but works via CLI.
This issue is only resolved when explicitly setting region to ap-east-1 during login and v2Token will be generated.
Is there a way to recognise that GlobalEndpointTokenVersion is set to 2 and generate v2Token by default?
I'm having a similar problem with ap-east-1. I am unable to run aws sts get-caller-identity --region ap-east-1 successfully. I've written the script below to investigate the regions that failed. It appears only ap-east-1 among non-disabled regions fails:
#!/bin/sh
regions=$(aws account list-regions | jq -r '.Regions[] | select(.RegionOptStatus != "DISABLED") | .RegionName')
for region in $regions
do
echo ${region}
aws sts get-caller-identity --region ${region}
done
outputs:
ap-east-1
An error occurred (InvalidClientTokenId) when calling the GetCallerIdentity operation: The security token included in the request is invalid
ap-northeast-1
{
"UserId": "<redacted>",
"Account": "<redacted-account-id>",
"Arn": "<redacted-role-arn>"
}
ap-northeast-2
{
"UserId": "<redacted>",
"Account": "<redacted-account-id>",
"Arn": "<redacted-role-arn>"
}
ap-northeast-3
{
"UserId": "<redacted>",
"Account": "<redacted-account-id>",
"Arn": "<redacted-role-arn>"
}
ap-south-1
{
"UserId": "<redacted>",
"Account": "<redacted-account-id>",
"Arn": "<redacted-role-arn>"
}
ap-southeast-1
{
"UserId": "<redacted>",
"Account": "<redacted-account-id>",
"Arn": "<redacted-role-arn>"
}
ap-southeast-2
{
"UserId": "<redacted>",
"Account": "<redacted-account-id>",
"Arn": "<redacted-role-arn>"
}
ca-central-1
{
"UserId": "<redacted>",
"Account": "<redacted-account-id>",
"Arn": "<redacted-role-arn>"
}
eu-central-1
{
"UserId": "<redacted>",
"Account": "<redacted-account-id>",
"Arn": "<redacted-role-arn>"
}
eu-north-1
{
"UserId": "<redacted>",
"Account": "<redacted-account-id>",
"Arn": "<redacted-role-arn>"
}
eu-west-1
{
"UserId": "<redacted>",
"Account": "<redacted-account-id>",
"Arn": "<redacted-role-arn>"
}
eu-west-2
{
"UserId": "<redacted>",
"Account": "<redacted-account-id>",
"Arn": "<redacted-role-arn>"
}
eu-west-3
{
"UserId": "<redacted>",
"Account": "<redacted-account-id>",
"Arn": "<redacted-role-arn>"
}
sa-east-1
{
"UserId": "<redacted>",
"Account": "<redacted-account-id>",
"Arn": "<redacted-role-arn>"
}
us-east-1
{
"UserId": "<redacted>",
"Account": "<redacted-account-id>",
"Arn": "<redacted-role-arn>"
}
us-east-2
{
"UserId": "<redacted>",
"Account": "<redacted-account-id>",
"Arn": "<redacted-role-arn>"
}
us-west-1
{
"UserId": "<redacted>",
"Account": "<redacted-account-id>",
"Arn": "<redacted-role-arn>"
}
us-west-2
{
"UserId": "<redacted>",
"Account": "<redacted-account-id>",
"Arn": "<redacted-role-arn>"
}
I suspect that this is an issue with the beginning of an array issue, as opposed to ap-east-1as a key. I.e. ap-east-1probably suffers from this because it is at the beginning of a region list.
Simple workaround is running:
saml2aws login -r ap-east-1
instead of:
saml2aws login
