Skip to content

[RUN-4503] Document ssm-sts-region property for AWS opt-in regions#1824

Open
Jesus-Osuna-M wants to merge 2 commits into
6.1.0from
RUN-4503-ssm-sts-region-docs
Open

[RUN-4503] Document ssm-sts-region property for AWS opt-in regions#1824
Jesus-Osuna-M wants to merge 2 commits into
6.1.0from
RUN-4503-ssm-sts-region-docs

Conversation

@Jesus-Osuna-M

@Jesus-Osuna-M Jesus-Osuna-M commented Jun 23, 2026
edited by atlassian Bot
Loading

Copy link
Copy Markdown
Contributor

Summary

Documents the new ssm-sts-region plugin property introduced in rundeckpro/rundeckpro#4748 to fix InvalidClientTokenId (HTTP 403) errors when executing SSM commands on nodes in AWS opt-in regions (e.g., eu-central-2 — Zurich).

Jira: RUN-4503

Changes

docs/manual/projects/node-execution/aws-ssm.md

  • New section: "STS Region Configuration for AWS Opt-In Regions"
    • Explains AWS v1 vs v2 STS token behavior and why opt-in regions reject v1 tokens
    • Documents all 4 configuration methods: Project UI, Mapping Params, project.ssm-sts-region, node-attribute
    • Includes tip callout explaining the root cause and backward compatibility note

docs/learning/howto/cross-account-aws-ssm.md

  • Added ::: warning callout in the "Option 1: Individual Nodes and Node Sources Setting" section
    • Alerts users with nodes in opt-in regions to configure ssm-sts-region.default=us-east-1
    • Explains why (v1/v2 token rejection)
    • Links to the full reference section in aws-ssm.md

Context

AWS opt-in regions (those that must be manually enabled in the AWS account) reject STS v1 tokens with InvalidClientTokenId. The global STS endpoint (sts.amazonaws.com) issues v1 tokens by default. The new ssm-sts-region property forces the plugin to use a regional STS endpoint, which always issues v2 tokens valid in all AWS regions.

The property is optional and backward-compatible — when not set, behavior is identical to previous versions.

Test plan

  • Verify new section renders correctly in local docs preview
  • Verify links to aws-ssm.md#sts-region-configuration anchor resolve correctly
  • Confirm warning block displays properly in VuePress

Made with Cursor

@Jesus-Osuna-M @cursoragent
[RUN-4503] Document ssm-sts-region property for AWS opt-in regions
fa56597 
Add documentation for the new ssm-sts-region plugin property introduced in
PR rundeckpro/rundeckpro#4748 to fix InvalidClientTokenId errors when
executing SSM commands on nodes in AWS opt-in regions (e.g. eu-central-2).

- aws-ssm.md: Add "STS Region Configuration for AWS Opt-In Regions" section
  explaining v1/v2 token behavior and all four configuration methods
- cross-account-aws-ssm.md: Add warning block for opt-in region setups
  pointing users to ssm-sts-region when using cross-account AssumeRole

Co-authored-by: Cursor <cursoragent@cursor.com>
@Jesus-Osuna-M Jesus-Osuna-M requested review from a team and Copilot June 23, 2026 14:54
Copilot AI reviewed Jun 23, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds documentation for the new ssm-sts-region configuration to address InvalidClientTokenId (HTTP 403) errors when running SSM against nodes in AWS opt-in regions, and surfaces this guidance in the cross-account SSM how-to.

Changes:

  • Added a new “STS Region Configuration for AWS Opt-In Regions” section to the AWS SSM node executor docs, including rationale and supported configuration methods.
  • Added a warning callout to the cross-account AWS SSM how-to directing users in opt-in regions to configure ssm-sts-region and linking to the reference section.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.

File Description
docs/manual/projects/node-execution/aws-ssm.md Documents ssm-sts-region behavior, why it’s needed for opt-in regions, and how to configure it at multiple scopes.
docs/learning/howto/cross-account-aws-ssm.md Adds an opt-in region warning and points readers to the full ssm-sts-region reference section.

Comment thread docs/manual/projects/node-execution/aws-ssm.md Outdated
Comment thread docs/manual/projects/node-execution/aws-ssm.md Outdated
Comment thread docs/manual/projects/node-execution/aws-ssm.md Outdated
Comment thread docs/learning/howto/cross-account-aws-ssm.md Outdated
@Jesus-Osuna-M @cursoragent
fix: add language identifiers to fenced code blocks
8742049 
Co-authored-by: Cursor <cursoragent@cursor.com>
@Jesus-Osuna-M Jesus-Osuna-M added this to the 6.1.0 milestone Jun 23, 2026
@fdevans fdevans changed the base branch from 4.0.x to 6.1.0 June 24, 2026 15:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments
@carlosrfranco carlosrfranco carlosrfranco approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

6.1.0

Development

Successfully merging this pull request may close these issues.

3 participants

@Jesus-Osuna-M @carlosrfranco