SignatureDoesNotMatch when overriding STS API endpoint in Terraform

Question

I am running Terraform in AWS region us-west-2 (Oregon) in a private VPC. Because of this I am using VPC endpoints to expose the STS API and am overriding this endpoint in Terraform as follows:

provider "aws" {
  endpoints {
    sts = "https://sts.us-west-2.amazonaws.com/"
  }
}

Unfortunately this gives the following error:

provider.aws: error validating provider credentials: error calling sts:GetCallerIdentity: SignatureDoesNotMatch: The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.

What could be causing this issue? Applying the same Terraform code without the endpoint override in a public VPC worked as expected.

Things I have checked:

• The instance Terraform is running on is displaying the correct time (UTC)
• AWS_REGION and AWS_DEFAULT_REGION env vars are set to us-west-2
• The AWS_SECRET_ACCESS_KEY env var I am using to authenticate (together with AWS_ACCESS_KEY_ID) contains only alphanumeric characters

Versions:

• terraform version: Terraform v0.11.13
• terraform-provider-aws: v2.17.0

Answer 1

It seems like terraform is not sanitizing the URLs before sending them to AWS:

provider "aws" {
  endpoints {
    sts = "https://sts.us-west-2.amazonaws.com" # No trailing slash
  }
}

Just works fine for me, while with the trailing slash it results in your error