Introduction
Prerequisites (if applicable)
- AWS EKS cluster running vault with AWS KMS autounseal
Overview
You would like to use regional sts_endpoint when using service account iam roles for auto-unseal with aws kms but have a restriction on outbound internet access from the VPC in which vault lives. VPC can only access regional sts_endpoint.
The Vault client uses the official AWS SDK and will use the specified credentials, environment credentials, shared file credentials, or IAM role/ECS task credentials in that order, if the above AWS specific values are not provided. So something needs to be set to ensure the AWS SDK uses the regional endpoint, not Vault.
Procedures
The recommended approach is to to add the environment variable AWS_STS_REGIONAL_ENDPOINT=regional