aws-cdk: [AwsCustomResource]: (assumeRoleArn defined in non-opt-in region while assume in opt-in region cause permission issue)

Describe the bug

for AwsCustomResource, the AwsSdkCall have assumeRoleArn that we can assume to proceed the SdkCall.

But the default sts endpoint is set to regional, and default region in our case an opt-in region. However, the role is created/defined under a root account in non-opt-in region(we cannot enable all opt-in region for that account). With the incorrect sts endpint point the assumeRole failed with permission issue.

Expected Behavior

sts Assume Role success and AwsSdkCall can proceed with success response.

Current Behavior

Error [CredentialsError]: Missing credentials in config, if using AWS_CONFIG_FILE, set AWS_SDK_LOAD_CONFIG=1
    at Request.extractError (/var/runtime/node_modules/aws-sdk/lib/protocol/query.js:50:29)
    at Request.callListeners (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:106:20)
    at Request.emit (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:78:10)
    at Request.emit (/var/runtime/node_modules/aws-sdk/lib/request.js:686:14)
    at Request.transition (/var/runtime/node_modules/aws-sdk/lib/request.js:22:10)
    at AcceptorStateMachine.runTo (/var/runtime/node_modules/aws-sdk/lib/state_machine.js:14:12)
    at /var/runtime/node_modules/aws-sdk/lib/state_machine.js:26:10
    at Request.<anonymous> (/var/runtime/node_modules/aws-sdk/lib/request.js:38:9)
    at Request.<anonymous> (/var/runtime/node_modules/aws-sdk/lib/request.js:688:12)
    at Request.callListeners (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:116:18) {
  code: 'CredentialsError',
  time: 2023-07-19T01:26:20.624Z,
  requestId: '***********',
  statusCode: 403,
  retryable: false,
  retryDelay: 30.07614769919884,
  originalError: {
    message: 'Could not load credentials from ChainableTemporaryCredentials',
    code: 'CredentialsError',
    time: 2023-07-19T01:26:20.624Z,
    requestId: '*****************',
    statusCode: 403,
    retryable: false,
    retryDelay: 30.07614769919884,
    originalError: {
      message: 'User: arn:aws:sts::*********:assumed-role/********* is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::**********:role/*******',
      code: 'AccessDenied',
      time: 2023-07-19T01:26:20.565Z,
      requestId: '******',
      statusCode: 403,
      retryable: false,
      retryDelay: 30.07614769919884
    }
  }
}

Reproduction Steps

Create an AwsCustomResource in opt-in region to assume a Role define in an account which did not enable this opt-in region.

Possible Solution

We tried all combinations of region vs stsEndpoint:

case 1, default region(opt-in region) with global sts endpoint. -> FAILED case 2, non opt-in region with global sts endpoint. -> SUCCEED case 3, default region(opt-in region) with regional sts endpoint. -> FAILED case 4, non opt-in region with regional sts endpoint. -> SUCCEED

So in either cases, we need to override the default region to a non-opt-in region!! So requesting to expose this sts region option to the user. the AwsSdkCall do have a region option, but the region is NOT used for sts assume role.

Additional Information/Context

No response

CDK CLI Version

2.73.0

Framework Version

No response

Node.js Version

18

OS

AL2

Language

Typescript

Language Version

No response

Other information

No response