More about regional STS endpoints

Signed-off-by: Richard Wall <[email protected]>
cert-manager · Sep 27, 2024 · 2fdaffd · 2fdaffd
1 parent b6eded5
commit 2fdaffd
Showing 1 changed file with 18 additions and 1 deletion.
diff --git a/content/docs/releases/release-notes/release-notes-1.16.md b/content/docs/releases/release-notes/release-notes-1.16.md
@@ -42,7 +42,7 @@ This allows you to manage the CA with familiar tools such as trust-manager.
 
 Read the [Venafi Issuer](../../configuration/venafi.md#creating-a-venafi-trust-protection-platform-issuer) page to learn more.
 
-### ACME Issuer Route53 Solver
+### Route53 DNS01 Solver Cleanup
 
 The Route53 DNS01 solver code had become over-complicated due to its age and due
 to the variety of authentication methods that have been added over the years.
@@ -63,6 +63,23 @@ Users who use IAM Roles for Service accounts or Pod Identity need
 not specify the region, but if your Issuer or ClusterIssuer does include a region (for the sake of satisfying the old API validation),
 that issuer region will be ignored, if the `AWS_REGION` environment variable is set.
 
+cert-manager will now use regional STS endpoints, when using `AssumeRole` or when
+using a dedicated Kubernetes ServiceAccount token.
+The regional endpoint will be computed based on the Issuer `region` field,
+or the `AWS_REGION` environment variable.
+There are good reasons to use regional STS endpoints, summarized as follows in the blog post,
+[How to use Regional AWS STS endpoints](https://aws.amazon.com/blogs/security/how-to-use-regional-aws-sts-endpoints/):
+
+> Although the global (legacy) AWS STS endpoint https://sts.amazonaws.com is highly available, it’s hosted in a single AWS Region—US East (N. Virginia)—and like other endpoints, it doesn’t provide automatic failover to endpoints in other Regions.
+
+> ℹ️ Regional STS endpoints were already being used with IAM Roles for Service Accounts (IRSA).
+>
+> 📖 Read [Manage AWS STS in an AWS Region](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html)
+to learn which regions support STS
+>
+> 📖 Read [AWS STS Regional endpoints](https://docs.aws.amazon.com/sdkref/latest/guide/feature-sts-regionalized-endpoints.html),
+to learn how to configure the use of regional STS endpoints using environment variables.
+
 Read the [ACME Issuer Route53](../../configuration/acme/dns01/route53.md) page to learn more.
 
 ### Memory Optimizations