x-posting this from #C02DM3GH4TY since maybe some folks with AWS context might be able to help https://pulumi-community.slack.com/archives/C02DM3GH4TY/p1731008709581819

Hey @steep-secretary-65224, if you do not specify a region STS will use the global endpoint. Which is located in us-east-1. This is not pulumi specific behavior, but general AWS behavior. STS is a global service, the regional tokens are usually just for having better latencies. This is true except for the newer "opt-in required" AWS regions. Those are regions that are not automatically enabled in your account.

eu-central-2

is one of them. Those regions have one peculiarity, they're not accepting tokens from the global STS endpoint by default. You can change that in AWS IAM: IAM -> Account Settings -> Security Token Service (STS) -> Global endpoint Can you check this setting? If it's set to

Valid only in AWS Regions enabled by default

try changing it to

All AWS Regions

@quick-house-41860 wow, that's really unexpected behavior on AWS' part 🤦 from the pulumi side, i was expecting the

aws:region

config to have taken care of that (eg, just like

AWS_REGION

does), but i guess that's only used for the actual provider operations and not the setup phase of things

Yeah

aws:region

is for the provider configuration. Having an extra configuration option for this in the oidc settings sounds like a good approach to me for this. Let me check with the team what they think about that

@quick-house-41860 thanks! 99% of the time, it probably doesn't matter, but when i does, it's totally non-obvious. IMHO, it would make the most sense for y'all to use the regional endpoint that matches the

aws:region

by default. the other thing this impacts is the cloudtrail logs; the original

AssumeRoleWithWebIdentity

call shows up in

us-east-1

(aka global endpoint) but then the actual operations show up in the region the provider is using. so that makes it a little harder to correlate those 2