Vault STS regional configuration error

Hi, please could you assist with the following behaviour in Vault?

I’m not sure if this is a bug or just a config issue

Client config:

/ $ vault read auth/aws/config/client
Key                           Value
---                           -----
access_key                    n/a
allowed_sts_header_values     <nil>
endpoint                      n/a
iam_endpoint                  n/a
iam_server_id_header_value    n/a
max_retries                   -1
sts_region                    us-east-1
use_sts_region_from_client    true

Using the client config above we receive the error:

The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method.

Our request headers contain the following:

[Authorization, AWS4-HMAC-SHA256 Credential=..../us-east-1/sts/aws4_request, SignedHeaders=conte...

If I change our request headers to


I do not see the error and the request completes successfully

There are quite a few related issues in GitHub but nothing to help resolve this issue (as you can see I’ve applied the sts_endpoint and sts_region configurations)

Our configured roles use iam as the auth_type and have bound_iam_principal_arn and bound_iam_principal_id set

If this wasn’t working using the global STS host I would think I was missing some additional client config e.g. iam_endpoint

Can anyone suggest something to help with this issue?