When setting AWS_STS_REGIONAL_ENDPOINTS=regional` its using the region from the registry url for STS.

[ajohnstone]

Problem:

From region us-east1 to ECR in eu-west-1.

When using AWS_STS_REGIONAL_ENDPOINTS=regional and pulling from another region. The regional endpoint used to authenticate to STS is based on the registry url. STS should use the regional endpoint from us-east-1 not eu-west-1 where the image is based.

failed to get credential from awS: operation error ECR: GetAuthorizationToken, exceeded maximum number of attempts, 3, failed to sign request: failed to retrieve credentials: failed to refresh cached credentials, failed to retrieve credentials, operation error STS: AssumeRole thiebidentity, exceeded maximum number of attempts, 3, https response error StatusCode: 0, Request ID:, request send failed, Post "https://sts.eu-west-1,amazonaws. com/*:
Forbidden

See ParseRegistry

pkg/oci/auth/aws/auth.go

Line 157 in d15b989

_, awsEcrRegion, ok := ParseRegistry(registryURL)

Note:
When setting IRSA regional endpoints are injected for STS.
This can be disabled witth the annotation on the service-account eks.amazonaws.com/sts-regional-endpoints: "false".
Unfortunately we cannot override the STS endpoint used as its sourced from the registy url.

• https://github.com/aws/amazon-eks-pod-identity-webhook