credential-scope

botocore/args.py

@@ -153,8 +153,9 @@ def get_client_args(
             protocol, parameter_validation
         )
         response_parser = botocore.parsers.create_parser(protocol)
+        uses_builtin_data = endpoint_bridge.resolver_uses_builtin_data()
         builtin_resolver = self._construct_builtin_resolver(
-            credentials, new_config
+            credentials, new_config, uses_builtin_data
         )
         ruleset_resolver = self._build_endpoint_resolver(
             endpoints_ruleset_data,
@@ -620,12 +621,15 @@ def _ensure_boolean(self, val):
         else:
             return val.lower() == 'true'
 
-    def _construct_builtin_resolver(self, credentials, client_config):
+    def _construct_builtin_resolver(
+        self, credentials, client_config, uses_builtin_data
+    ):
         credential_builtin_resolver = CredentialBuiltinResolver(
-            credentials, client_config.account_id_endpoint_mode
+            credentials,
+            client_config.account_id_endpoint_mode,
         )
         resolver_map = {'credentials': credential_builtin_resolver}
-        return EndpointBuiltinResolver(resolver_map)
+        return EndpointBuiltinResolver(resolver_map, uses_builtin_data)
 
     def _build_endpoint_resolver(
         self,
@@ -778,6 +782,9 @@ def compute_endpoint_resolver_builtin_defaults(
             # account ID is calculated later if account based routing is
             # enabled and configured for the service
             EPRBuiltins.AWS_ACCOUNT_ID: None,
+            # credential scope is calculated later if configured on the
+            # credentials
+            EPRBuiltins.AWS_CREDENTIAL_SCOPE: None,
         }
 
     def _compute_user_agent_appid_config(self, config_kwargs):

botocore/client.py

@@ -11,6 +11,7 @@
 # ANY KIND, either express or implied. See the License for the specific
 # language governing permissions and limitations under the License.
 import logging
+import warnings
 
 from botocore import waiter, xform_name
 from botocore.args import ClientArgsCreator
@@ -1091,13 +1092,34 @@ def _resolve_endpoint_ruleset(
                 request_context['auth_type'] = auth_type
                 if 'region' in signing_context and ignore_signing_region:
                     del signing_context['region']
+                self._maybe_warn_signing_region_mismatch(signing_context)
                 if 'signing' in request_context:
                     request_context['signing'].update(signing_context)
                 else:
                     request_context['signing'] = signing_context
 
         return endpoint_url, additional_headers
 
+    def _maybe_warn_signing_region_mismatch(self, signing_context):
+        legacy_signing_region = self._request_signer.region_name
+        signing_region = signing_context.get('region')
+        if (
+            signing_region is not None
+            and legacy_signing_region != signing_region
+            and not self._ruleset_resolver.uses_builtin_data_path
+            and self._ruleset_resolver.credential_scope_set
+        ):
+            warnings.warn(
+                "Detected an endpoint resolved from a custom endpoints.json"
+                "file and credentials scoped to a single region:  "
+                f"'{signing_region}'. The signing region this file has "
+                "resolved does not match the signing region of the client. "
+                "This may cause issues with request signing.\n"
+                f"legacy signing region: '{legacy_signing_region}'\n"
+                f"current signing region: '{signing_region}'\n "
+                f"Using '{signing_region}' to sign the request."
+            )
+
     def get_paginator(self, operation_name):
         """Create a paginator for an operation.