Enable WebIdentityTokenCredentialsProvider to use custom STS endpoint

[joelthompson]

Describe the Feature

When using the WebIdentityTokenCredentialsProvider I would like to control which STS endpoint the sts:AssumeRoleWithWebIdentity call uses. Currently, it always uses the global STS endpoint.

Is your Feature Request related to a problem?

We want to use IAM Roles for Service Accounts for our Kubernetes pods to get AWS credentials, but we don't want our pods to have access to the public internet. Instead, we want our pods to make the sts:AssumeRoleWithWebIdentity call over regional STS VPC endpoints (which have policies on them!). This isn't possible without configuring the SDK to use the regional STS VPCEs and then forcing DNS resolution for the regional STS endpoint to go to the VPCE hostname (e.g., with private DNS enabled).

The reason is because WebIdentityTokenCredentialsProvider, under the hood, just uses a largely default AWSSecurityTokenServiceClientBuilder to construct an STS client, without any endpoint specification:

aws-sdk-java/aws-java-sdk-sts/src/main/java/com/amazonaws/auth/STSAssumeRoleWithWebIdentitySessionCredentialsProvider.java

Lines 122 to 125 in 772b07b

	return AWSSecurityTokenServiceClientBuilder.standard()
	.withClientConfiguration(clientConfiguration)
	.withCredentials(new AWSStaticCredentialsProvider(new AnonymousAWSCredentials()))
	.build();

Proposed Solution

A few different options would help:

1. Change the behavior of STSAssumeRoleWithWebIdentitySessionCredentialsProvider to read a new environment variable, e.g., AWS_STS_DEFAULT_ENDPOINT, and, if set, configure the STS client to use that as the endpoint. Then, we can just configure our pods with our STS VPCE hostname in that environment variable.
2. Change WebIdentityTokenCredentialsProvider to provide an option to configure the STS endpoint to use. This is less attractive as it requires code changes in clients, and while we can change our own code, we won't be able to configure any third-party products/tools to use this.

Describe alternatives you've considered

Set the AWS_STS_REGIONAL_ENDPOINTS environment variable to regional on our pods and either turn on private DNS for our VPCE or use something like CoreDNS's rewrite option to rewrite the DNS request to our VPCE DNS name. The downside here is that we can only have a single VPCE, with a single policy, when in some cases we might want different workloads to use different VPCEs with different policies.

Additional Context

Your Environment

We're running on EKS.

[artemsablin]

While we're waiting on this, here's a workaround for EKS to get sts.amazonaws.com resolved to a local address:

• enable private DNS for your STS VPC endpoint

• patch your coredns configmap like so, replacing the us-east-1 region with yours:

    .:53 {
        errors
        health
        rewrite name sts.amazonaws.com sts.us-east-1.amazonaws.com
        kubernetes cluster.local in-addr.arpa ip6.arpa {
          pods insecure
          upstream
          fallthrough in-addr.arpa ip6.arpa
        }
        prometheus :9153
        forward . /etc/resolv.conf
        cache 30
        loop
        reload
        loadbalance
    }

[debora-ito]

Marking as a feature request.

[gillius]

This looks like it might be working. On a hunch I tried setting the AWS_STS_DEFAULT_ENDPOINT environment variable since it worked with CLI and it appears to work with Java SDK as well. And I found some source code that appears to implement it: https://github.com/aws/aws-sdk-java/blob/1.11.976/aws-java-sdk-sts/src/main/java/com/amazonaws/services/securitytoken/RegionalEndpointsOptionResolver.java

[tasktop-teho]

Following the suggestion from @gillius , I couldn't get AWS_STS_DEFAULT_ENDPOINT to work. However, I was able to set environment variable AWS_STS_REGIONAL_ENDPOINTS=regional to use the regional endpoints

[diegooliveirazup]

Hi @joelthompson, how did you solve this question? I'm with the same scenario here.

[joelthompson]

Setting AWS_STS_REGIONAL_ENDPOINTS=regional and turning on VPC endpoint private DNS has been enough for now.

[debora-ito]

We don't have plans to support this in v1 before going into Maintenance Mode. A workaround is described in the above comment from @joelthompson.

Java SDK v2 already supports custom STS clients in the StsWebIdentityTokenFileCredentialsProvider, so try the Java SDK v2 out and let us know if you have questions by creating an issue in the v2 repo.

Reference:

• Announcing end-of-support for AWS SDK for Java v1.x effective December 31, 2025 - blog post

[github-actions]

This issue is now closed.

Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.