[EKS] [Request]: IAM Roles for Service Accounts don't work with sts vpc endpoint

[oleksii-boiko-ua]

Tell us about your request
I'm trying to use "IAM Roles for Service Accounts" in private VPC without Internet, Nat Gateways. It works fine in VPC with internet access.

Which service(s) is this request for?
EKS

Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard?
When I deploy pod with a service account in spec everything looks fine, pod is mutating and the environment variables and necessary setting are automatically injected. Then I'm accessing pod via kubectl exec and run command

aws s3 ls --region eu-west-1 --debug

or any other and I see that it's trying to connect to global sts Starting new HTTPS connection (1): sts.amazonaws.com:443 and failed with a timeout. How can I force it to use my regional sts vpc endpoint like sts.eu-west-1.amazonaws.com?

Are you currently working around this issue?
I even tried to add cname record in coredns but recived

botocore.exceptions.SSLError: SSL validation failed for https://sts.amazonaws.com/ ("hostname 'sts.amazonaws.com' doesn't match either of 'sts.eu-west-1.amazonaws.com', '*.sts.eu-west-1.vpce.amazonaws.com'",)

[buzzsurfr]

@alexey-boyko Can you retry? I've recreated the same, and was able to get IAM roles for service accounts working in a private VPC without outbound internet ("air-gapped").

[rajholla]

I think this PR needs to be merged for cleaner integration.
I was able to use VPC endpoints for STS only after updating AWS_STS_REGIONAL_ENDPOINTS=regional on my workload

[mikestef9]

Closing as this functionality works today