AWSSecurityTokenServiceClientBuilder in aws-java-sdk-sts does not use the region endpoint when supplied region

[dlabey]

When using the AWSSecurityTokenServiceClientBuilder and supplying a region (withRegion), the STS global endpoint is still used (sts.amazonaws.com). The region endpoint should be used when supplied with a region so the client detects the VPC Interface Endpoint if the account is configured for one in that region.

Describe the bug

Constructed a client with the region of US-WEST-2 for STS and the global endpoint is still used.
return AWSSecurityTokenServiceClientBuilder.standard() .withRegion(Regions.US_WEST_2) .build();

Expected Behavior

Region endpoint is used (sts.us-west-2.amazonaws.com).

Current Behavior

Global endpoint is used (sts.amazonaws.com).

Steps to Reproduce

Constructor and STS client and see the global endpoint being used.
return AWSSecurityTokenServiceClientBuilder.standard() .withRegion(Regions.US_WEST_2) .build();

Possible Solution

Fix the SDK so the regional endpoint is used.

Context

Regional endpoint has to manually be used, which is what is needed to use VPC Interface Endpoint.

Your Environment

Java 8, AWS Lambda

[dlabey]

It would be nice if the default client or standard client used the region endpoint which is what seems some other services do.

[debora-ito]

@dlabey If you're using SDK version 1.11.658 or greater, to make the STS client use the regional endpoint you need to set an option in .aws/config file to regional:

sts_regional_endpoints = regional

or set as an environment variable:

AWS_STS_REGIONAL_ENDPOINTS regional

Besides the Shared Configuration and Credentials Reference Guide I couldn't find a documentation page about this new flag that is easily discoverable, so I'll mark this as a documentation we can improve.

[dlabey]

Hello, thank you for this, I will make the change using the environment variable.

[debora-ito]

We rewrote the changelog entry to add a link to the regional setting documentation page, and we are trying to increase the visibility of that particular Reference Guide.

Closing this, feel free to reach out if you have any additional questions.

[github-actions]

COMMENT VISIBILITY WARNING

Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

[ChrisCollinsIBM]

Since this relates to the STS calls specifically, has any consideration been made to making the regional endpoint configuration part of the AWSSecurityTokenServiceClientBuilder?

Global settings are frustrating in systems that connect to multiple places, and not being able to set this programmatically within Java is somewhat limiting, ideally this would at least be a java system property rather than an OS environment variable.