StsWebIdentityCredentialsProvider does not respect AWS_ENDPOINT_URL_STS

[nico1207]

Describe the bug

The StsWebIdentityCredentialsProvider that is part of the default credentials provider chain does not respect the AWS_ENDPOINT_URL_STS environment variable when fetching the credentials from STS. Instead it will simply call the default AWS URL.

Expected behavior

When setting AWS_ENDPOINT_URL_STS I expect the SDK to use the specified STS URL for fetching credentials.

Current behavior

It uses the default AWS URL https://sts.us-west-2.amazonaws.com

Steps to Reproduce

1. Set the AWS_ENDPOINT_URL_STS environment variable to a URL that should be called
2. Set AWS_WEB_IDENTITY_TOKEN_FILE to a file containing some JWT
3. Set AWS_ROLE_ARN to any valid role ARN
4. Use SDK to call any service via STS Web Identity Token
5. See that the URL specified above is not used for authentication

Possible Solution

When creating the STS client the finalizeConfig function of the StsClient is not called, which would take the endpointUrl from the environment variables.

Alternatively, allow passing my own StsClient to the credentials provider (this is possible in Java SDK)

Context

Our backend services use a service-mesh to call AWS services and we can only call them via HTTP, not HTTPS. Thus, we have to change the endpointUrl to use HTTP.

AWS Kotlin SDK version used

1.0.51

Platform (JVM/JS/Native)

JVM

Operating System and version

MacOS 14.3 (M1)

[aajtodd]

Thanks for the report, I can indeed see this would be an issue with any nested client of the default chain.

We'll have to look at what we want to do here.

[github-actions[bot]]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.

[0marperez]

If you are still having issues after this please feel free to @ me @nico1207