When setting AWS_STS_REGIONAL_ENDPOINTS=regional` its using the region from the registry url for STS.

[ajohnstone]

Problem:

From region us-east1 to ECR in eu-west-1.

When using AWS_STS_REGIONAL_ENDPOINTS=regional and pulling from another region. The regional endpoint used to authenticate to STS is based on the registry url. STS should use the regional endpoint from us-east-1 not eu-west-1 where the image is based.

failed to get credential from awS: operation error ECR: GetAuthorizationToken, exceeded maximum number of attempts, 3, failed to sign request: failed to retrieve credentials: failed to refresh cached credentials, failed to retrieve credentials, operation error STS: AssumeRole thiebidentity, exceeded maximum number of attempts, 3, https response error StatusCode: 0, Request ID:, request send failed, Post "https://sts.eu-west-1,amazonaws. com/*:
Forbidden

See ParseRegistry https://github.com/fluxcd/pkg/blob/d15b989d113fd8c3792f19d8c0aaf31b156f552f/oci/auth/aws/auth.go#L157

Note: When setting IRSA regional endpoints are injected for STS. This can be disabled witth the annotation on the service-account eks.amazonaws.com/sts-regional-endpoints: "false". Unfortunately we cannot override the STS endpoint used as its sourced from the registy url.

• https://github.com/aws/amazon-eks-pod-identity-webhook