steep-secretary-65224
11/07/2024, 7:52 PMquick-house-41860
11/11/2024, 11:21 AMeu-central-2
is one of them.
Those regions have one peculiarity, they're not accepting tokens from the global STS endpoint by default.
You can change that in AWS IAM:
IAM -> Account Settings -> Security Token Service (STS) -> Global endpoint
Can you check this setting? If it's set to Valid only in AWS Regions enabled by default
try changing it to All AWS Regions
steep-secretary-65224
11/11/2024, 5:49 PMaws:region
config to have taken care of that (eg, just like AWS_REGION
does), but i guess that's only used for the actual provider operations and not the setup phase of thingsquick-house-41860
11/11/2024, 5:53 PMaws:region
is for the provider configuration. Having an extra configuration option for this in the oidc settings sounds like a good approach to me for this. Let me check with the team what they think about thatsteep-secretary-65224
11/11/2024, 6:02 PMaws:region
by default. the other thing this impacts is the cloudtrail logs; the original AssumeRoleWithWebIdentity
call shows up in us-east-1
(aka global endpoint) but then the actual operations show up in the region the provider is using. so that makes it a little harder to correlate those 2No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.
Powered by