From 2fdaffdedd82ced3ac000cfeb744b93f1cc49574 Mon Sep 17 00:00:00 2001 From: Richard Wall Date: Fri, 27 Sep 2024 16:50:08 +0100 Subject: [PATCH] More about regional STS endpoints Signed-off-by: Richard Wall --- .../release-notes/release-notes-1.16.md | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/content/docs/releases/release-notes/release-notes-1.16.md b/content/docs/releases/release-notes/release-notes-1.16.md index 96faf30a4e..9964837a03 100644 --- a/content/docs/releases/release-notes/release-notes-1.16.md +++ b/content/docs/releases/release-notes/release-notes-1.16.md @@ -42,7 +42,7 @@ This allows you to manage the CA with familiar tools such as trust-manager. Read the [Venafi Issuer](../../configuration/venafi.md#creating-a-venafi-trust-protection-platform-issuer) page to learn more. -### ACME Issuer Route53 Solver +### Route53 DNS01 Solver Cleanup The Route53 DNS01 solver code had become over-complicated due to its age and due to the variety of authentication methods that have been added over the years. @@ -63,6 +63,23 @@ Users who use IAM Roles for Service accounts or Pod Identity need not specify the region, but if your Issuer or ClusterIssuer does include a region (for the sake of satisfying the old API validation), that issuer region will be ignored, if the `AWS_REGION` environment variable is set. +cert-manager will now use regional STS endpoints, when using `AssumeRole` or when +using a dedicated Kubernetes ServiceAccount token. +The regional endpoint will be computed based on the Issuer `region` field, +or the `AWS_REGION` environment variable. +There are good reasons to use regional STS endpoints, summarized as follows in the blog post, +[How to use Regional AWS STS endpoints](https://aws.amazon.com/blogs/security/how-to-use-regional-aws-sts-endpoints/): + +> Although the global (legacy) AWS STS endpoint https://sts.amazonaws.com is highly available, it’s hosted in a single AWS Region—US East (N. Virginia)—and like other endpoints, it doesn’t provide automatic failover to endpoints in other Regions. + +> ℹ️ Regional STS endpoints were already being used with IAM Roles for Service Accounts (IRSA). +> +> 📖 Read [Manage AWS STS in an AWS Region](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html) +to learn which regions support STS +> +> 📖 Read [AWS STS Regional endpoints](https://docs.aws.amazon.com/sdkref/latest/guide/feature-sts-regionalized-endpoints.html), +to learn how to configure the use of regional STS endpoints using environment variables. + Read the [ACME Issuer Route53](../../configuration/acme/dns01/route53.md) page to learn more. ### Memory Optimizations