In the AWS IAM web console, I can inspect and change an account’s STS endpoint compatibility.
IAM -> Account Settings -> Security Token Service (STS) -> Global endpoint
The two choices are:
- Valid only in AWS Regions enabled by default
- All AWS Regions
I would like to be able to query this setting from my Go application, but looking through both the iam and sts go packages I have not found a call that appears to expose this setting.
Am I looking in the wrong places or is the setting buried somewhere that is not easily found? Any suggestions or recommendations would be appreciated.
2
Answers
I reached out to AWS support and got this, which directed me exactyly to what I was looking for:
As described in the document [1], a value of the "Global endpoint" setting in the IAM console (IAM -> Account Settings -> Security Token Service (STS) -> Global endpoint) can be found in the GlobalEndpointTokenVersion entry in the response of GetAccountSummary API operation. The GlobalEndpointTokenVersion entry represents the following settings, respectively.
1: Valid only in AWS Regions enabled by default 2: All AWS Regions
For information on how to call the GetAccountSummary API with the AWS SDK for Go, please see the documentation [2].
[1]https://docs.aws.amazon.com/IAM/latest/APIReference/API_SetSecurityTokenServicePreferences.html
To view the current session token version, see the GlobalEndpointTokenVersion entry in the response of the GetAccountSummary operation.
[2]https://docs.aws.amazon.com/sdk-for-go/api/service/iam/#IAM.GetAccountSummary
You are looking in the right place, but sometimes (not often) the console calls use undocumented calls or even use an unofficial api.
You can use the chrome debugger to find that out.
Here is how I searched for something similar undocumented. Maybe that helps: https://www.tecracer.com/blog/2023/03/the-story-of-how-an-undocumented-api-call-became-an-official-one-list-deleted-secrets-from-aws-secrets-manager-with-the-cli.html