An error occurred (RegionDisabledException) when calling the AssumeRole operation: STS is not activated in this region for account:xxxxxxxxx. Your account administrator can activate STS in this region using the IAM Console.
This error message is not always accurate
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
⚙️ Check out my series on Automating Cybersecurity Metrics | Code.
🔒 Related Stories: Bugs | AWS Security | Secure Code | CloudFormation
💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Just got this error. The reason stated in the error message is does not seem to be accurate. But read on.
An error occurred (RegionDisabledException) when calling the AssumeRole operation: STS is not activated in this region for account:xxxxxxxxx. Your account administrator can activate STS in this region using the IAM Console.
I thought this error had something to do with service control policies since you can’t disable STS in certain regions. However, that is not the case because I’m now getting this in an account with no SCPs.
There is no restriction on the region where I am getting this error in the account in question either. I can prove that because I can open up AWS CloudShell in that region and run aws sts get-caller-identity and it works.
I’m using credentials in another account and requiring MFA to assume a role. This has always worked in the past. Why is it not working now?
In the past when I got this error, I tried hard coding the region us-east-1 into the command and I realized it was using the region from the AWS CLI configuration instead. Here’s what I wrote:
Perhaps I had a type in the region portion of the CLI command but shouldn’t that have thrown an error if so? Or is overriding the region not working for all route53 commands. Not sure.
So as I’m working on this I realize that I’m trying to access us-east-2 which is allowed in my network. However, is STS trying to use us-east-1 behind the scenes? Because maybe it can’t get to that endpoint on the network somehow. I try to override us-east-2 with us-east-1 in an assumerole command and the request times out.
I ended up copying the code over to CloudShell in the account where the credentials originate and everything works fine. Therefore this is an erroneous error message and I presume it has to to with networking and private VPC endpoints on my VPC and subnets where I’m using the host that is trying to run the commands. I wish the error message would be adjusted to be more accurate.
If you want to check which regions are enabled in an account:
If you are unfamiliar with the STS region enabling section of the AWS console head over to IAM and click account settings on the left and scroll down.
If you want to check which regions are enabled in your Service Control Policies:
For SCPs that limit access to specific regions for your entire organization (instead of on an account by account basis) check this out:
Kind of figured out what is causing this here:
Follow for updates.
Teri Radichel | © 2nd Sight Lab 2023
About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight LabNeed Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for PresentationFollow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab
