STS: New internalized STS provider by pinzon · Pull Request #13737 · localstack/localstack

pinzon · 2026-02-10T21:24:49Z

Motivation

With the objective to internalize the STS service. This PR implements a new service provider based on ASF and LocalStack stores, completly independent of the Moto library.

Changes

Added STS store with support for Cross-Account attributes.
Replaced the STS provider with an entirely new provider.
Added the necessary changes to providers.py

github-actions · 2026-02-10T21:35:48Z

Test Results - Preflight, Unit

23 070 tests ±0 21 179 ✅ ±0 6m 20s ⏱️ +11s
1 suites ±0 1 891 💤 ±0
1 files ±0 0 ❌ ±0

Results for commit bca7f0d. ± Comparison against base commit 69158c9.

♻️ This comment has been updated with latest results.

github-actions · 2026-02-10T21:50:24Z

Test Results (amd64) - Acceptance

7 tests ±0 5 ✅ ±0 3m 9s ⏱️ +5s
1 suites ±0 2 💤 ±0
1 files ±0 0 ❌ ±0

Results for commit bca7f0d. ± Comparison against base commit 69158c9.

♻️ This comment has been updated with latest results.

github-actions · 2026-02-10T22:29:46Z

Test Results (amd64) - Integration, Bootstrap

5 files ±0 5 suites ±0 2h 41m 10s ⏱️ - 2m 4s
6 039 tests ±0 5 510 ✅ +14 528 💤 ±0 1 ❌ - 14
6 045 runs ±0 5 510 ✅ +14 534 💤 ±0 1 ❌ - 14

For more details on these failures, see this check.

Results for commit bca7f0d. ± Comparison against base commit 69158c9.

♻️ This comment has been updated with latest results.

github-actions · 2026-02-10T22:41:42Z

LocalStack Community integration with Pro

2 files ±0 2 suites ±0 1h 33m 19s ⏱️ - 33m 30s
5 634 tests ±0 135 ✅ - 5 112 363 💤 - 9 420 ❌ +405 4 716 🔥 +4 716
5 636 runs ±0 135 ✅ - 5 112 365 💤 - 9 420 ❌ +405 4 716 🔥 +4 716

For more details on these failures and errors, see this check.

Results for commit bca7f0d. ± Comparison against base commit 69158c9.

♻️ This comment has been updated with latest results.

anisaoshafi · 2026-02-25T16:14:54Z

ℹ️ @pinzon I've changed the milestone to playground for now.

dfangl · 2026-02-25T15:44:52Z

+
+        # For permanent access keys (AKIA prefix), extract account from the key
+        # In LocalStack, we often encode the account ID in the access key
+        if access_key_id.startswith("AKIA"):


In LocalStack, this is LKIA - we should use the PARITY_AWS_ACCESS_KEY_ID variable here as well!

Why was this resolved?

My bad. I mixed up this comment with the comment about using config var to generate the Key

I'm removing that condition. It provides no value.

dfangl

Looks good, I have some more suggestions/questions, then it's good to merge from my side!

dfangl · 2026-02-26T21:50:14Z

+        role_id = generate_role_id(target_account_id)
+        if role := self._get_role_from_arn(role_arn):
+            role_id = role["RoleId"]
+        role_id = role_id.replace("AROA", "ARO1")


Where does this come from?

From the test test_sts.TestSTSIntegrations.test_assume_role_with_web_identity. It's marked as only_localstack so it could be wrong but it was migrated from moto

dfangl · 2026-02-26T21:50:47Z

+
+        # For permanent access keys (AKIA prefix), extract account from the key
+        # In LocalStack, we often encode the account ID in the access key
+        if access_key_id.startswith("AKIA"):


Why was this resolved?

pinzon marked this pull request as ready for review February 11, 2026 19:30

pinzon requested a review from dfangl as a code owner February 11, 2026 19:30

dfangl mentioned this pull request Feb 12, 2026

Tests STS AssumeRole #13724

Merged

dfangl force-pushed the iam/moto-migration branch from a2a079c to 37f4eb0 Compare February 12, 2026 10:25

pinzon force-pushed the sts/new-provider branch from ceda2be to 19e5d68 Compare February 13, 2026 15:30

pinzon added this to the 4.14 milestone Feb 16, 2026

dfangl force-pushed the iam/moto-migration branch from cdcd4df to 4526785 Compare February 16, 2026 18:25

dfangl requested review from dominikschubert and steffyP as code owners February 16, 2026 18:25

dfangl force-pushed the iam/moto-migration branch from 7211a8d to aabae16 Compare February 17, 2026 13:30

pinzon force-pushed the sts/new-provider branch from 19e5d68 to de9bf7a Compare February 18, 2026 20:27

dfangl force-pushed the iam/moto-migration branch from 49e13e2 to cbcd0f4 Compare February 19, 2026 18:50

dfangl requested review from aidehn, alexrashed, bentsku, k-a-il and silv-io as code owners February 19, 2026 18:50

bentsku removed their request for review February 20, 2026 13:56

pinzon force-pushed the sts/new-provider branch from de9bf7a to 8ffa1ee Compare February 24, 2026 17:42

anisaoshafi modified the milestones: 4.14, Playground Feb 25, 2026

dfangl modified the milestones: Playground, 2026.03 Feb 26, 2026

dfangl force-pushed the iam/moto-migration branch from b1990ab to 4b158e1 Compare February 26, 2026 09:17

dfangl suggested changes Feb 26, 2026

View reviewed changes

dfangl force-pushed the iam/moto-migration branch from 1751aaf to 2347778 Compare February 26, 2026 16:47

dfangl force-pushed the sts/new-provider branch from 8ffa1ee to 34c2712 Compare February 26, 2026 16:47

pinzon added 2 commits February 26, 2026 14:05

new STS v2 provider

2aa0311

replace old provider entirely

3a2a336

pinzon force-pushed the sts/new-provider branch from 34c2712 to 3a2a336 Compare February 26, 2026 19:06

pinzon added 3 commits February 26, 2026 15:16

migrate utils methods

88bdc9e

fix assume role with saml test

2964c5c

fix role id issue

721a71e

pinzon requested a review from dfangl February 26, 2026 20:53

plux.ini

3fa420f

dfangl approved these changes Feb 26, 2026

View reviewed changes

requested changes

bca7f0d

pinzon merged commit d87db73 into iam/moto-migration Feb 27, 2026
28 of 33 checks passed

pinzon deleted the sts/new-provider branch February 27, 2026 19:22

dfangl pushed a commit that referenced this pull request Mar 4, 2026

STS: New internalized STS provider (#13737)

449d4e1

dfangl pushed a commit that referenced this pull request Mar 4, 2026

STS: New internalized STS provider (#13737)

2770dfd

dfangl pushed a commit that referenced this pull request Mar 6, 2026

STS: New internalized STS provider (#13737)

be341de

Uh oh!

Conversation

pinzon commented Feb 10, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Motivation

Changes

Uh oh!

github-actions Bot commented Feb 10, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Test Results - Preflight, Unit

Uh oh!

github-actions Bot commented Feb 10, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Test Results (amd64) - Acceptance

Uh oh!

github-actions Bot commented Feb 10, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Test Results (amd64) - Integration, Bootstrap

Uh oh!

github-actions Bot commented Feb 10, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

LocalStack Community integration with Pro

Uh oh!

anisaoshafi commented Feb 25, 2026

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

dfangl Feb 25, 2026

Choose a reason for hiding this comment

Uh oh!

dfangl Feb 26, 2026

Choose a reason for hiding this comment

Uh oh!

pinzon Feb 27, 2026

Choose a reason for hiding this comment

Uh oh!

pinzon Feb 27, 2026

Choose a reason for hiding this comment

Uh oh!

Uh oh!

dfangl left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

dfangl Feb 26, 2026

Choose a reason for hiding this comment

Uh oh!

pinzon Feb 27, 2026

Choose a reason for hiding this comment

Uh oh!

dfangl Feb 26, 2026

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

pinzon commented Feb 10, 2026 •

edited

Loading

github-actions Bot commented Feb 10, 2026 •

edited

Loading

github-actions Bot commented Feb 10, 2026 •

edited

Loading

github-actions Bot commented Feb 10, 2026 •

edited

Loading

github-actions Bot commented Feb 10, 2026 •

edited

Loading