AwsIamAuthentication fails with Credential should be scoped to a valid region when migrating from spring-vault-core 2.3.3 to 3.1.1

[infa-kvaibhav]

I have upgrade from spring-vault-core 2.3.3 to 3.1.1 and using AwsIamAuthentication

public ClientAuthentication createClientAuthentication() {
AwsCredentialsProvider credentialsProvider = DefaultCredentialsProvider.create();
AwsIamAuthenticationOptions options = AwsIamAuthenticationOptions.builder()
.credentialsProvider(credentialsProvider)
.region(Region.US_WEST_2). I have tried adding this filed in 3.1.1 as vault and instances are in us-west-2
.role(InfrastructureInfo.getInstance().getVaultRole())
.build();
return new AwsIamAuthentication(options, VaultUtils.getRestOptions());
}
Exception-
org.springframework.vault.authentication.VaultLoginException: Cannot login using AWS-IAM: error making upstream request: received error code 403 from STS: ](https://sts.amazonaws.com/doc/2011-06-15/%22%3E)

Sender
SignatureDoesNotMatch
Credential should be scoped to a valid region.

b38c3d6a-ae0a-4f08-b768-94ad7b53b82e

Java-17
SpringBoot-3.2.0
Spring Framework- 6.1.+

From CLI I am able to read data.
Vault v1.9.4

[mp911de]

We're signing requests with the v4 signer via

spring-vault/spring-vault-core/src/main/java/org/springframework/vault/authentication/AwsIamAuthentication.java

Lines 225 to 230 in ff43ffa

	Aws4Signer signer = Aws4Signer.create();
	Aws4SignerParams signerParams = Aws4SignerParams.builder()
	.awsCredentials(credentials)
	.signingName("sts")
	.signingRegion(region)
	.build();

Let us know if there's a mismatch somewhere. We can solve this issue only with the help of you or any AWS user, I'm not terribly familiar with the most recent AWS changes.

[infa-kvaibhav]

If i am providing region as US_EAST_1 its working but providing any other region is throwing the same exception.

Below is working:
AwsIamAuthenticationOptions options = AwsIamAuthenticationOptions.builder()
.credentialsProvider(InstanceProfileCredentialsProvider.create())
.region(Region.US_EAST_1)
.role(InfrastructureInfo.getInstance().getVaultRole())
.build();

FYI: I am in us-west-2.

[mp911de]

If you have arrangements that work, then this seems to be rather an infrastructure issue. In any case, we're not AWS users so we need support from someone that could help sort out the actual issue.

[infa-kvaibhav]

A similar issue i can see raised in the past hvac/hvac#251.

In our case even setting the endPointURI to https://sts.us-west-2.amazonaws.com is not working throwing same exception.

[mp911de]

thanks for the pointer. What about sts_endpoint and sts_region in the vault config? Do these correlate to your app config?