From 566158978f3d954183d4d0fc9165826ad15352dd Mon Sep 17 00:00:00 2001
From: Teemu Keskitalo <teemu.keskitalo@external.nexigroup.com>
Date: Fri, 24 Oct 2025 11:02:46 +0300
Subject: [PATCH] fix: respect AWS_REGION env var in sts region resolution

---
 clients/client-sts/src/defaultStsRoleAssumers.ts            | 6 ++++--
 .../typescript/codegen/sts-client-defaultStsRoleAssumers.ts | 6 ++++--
 .../src/submodules/sts/defaultStsRoleAssumers.ts            | 6 ++++--
 3 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/clients/client-sts/src/defaultStsRoleAssumers.ts b/clients/client-sts/src/defaultStsRoleAssumers.ts
index bb7e08de7d18..79ce9cea75db 100644
--- a/clients/client-sts/src/defaultStsRoleAssumers.ts
+++ b/clients/client-sts/src/defaultStsRoleAssumers.ts
@@ -58,7 +58,7 @@ const getAccountIdFromAssumedRoleUser = (assumedRoleUser?: AssumedRoleUser) => {
 /**
  * @internal
  *
- * Default to the parent client region or us-east-1 if no region is specified.
+ * Default to the parent client region, AWS_REGION environment variable, or us-east-1 if no region is specified.
  */
 const resolveRegion = async (
   _region: string | Provider<string> | undefined,
@@ -67,15 +67,17 @@ const resolveRegion = async (
 ): Promise<string> => {
   const region: string | undefined = typeof _region === "function" ? await _region() : _region;
   const parentRegion: string | undefined = typeof _parentRegion === "function" ? await _parentRegion() : _parentRegion;
+  const envRegion = process.env.AWS_REGION || process.env.AWS_DEFAULT_REGION;
 
   credentialProviderLogger?.debug?.(
     "@aws-sdk/client-sts::resolveRegion",
     "accepting first of:",
     `${region} (provider)`,
     `${parentRegion} (parent client)`,
+    `${envRegion} (environment)`,
     `${ASSUME_ROLE_DEFAULT_REGION} (STS default)`
   );
-  return region ?? parentRegion ?? ASSUME_ROLE_DEFAULT_REGION;
+  return region ?? parentRegion ?? envRegion ?? ASSUME_ROLE_DEFAULT_REGION;
 };
 
 /**
diff --git a/codegen/smithy-aws-typescript-codegen/src/main/resources/software/amazon/smithy/aws/typescript/codegen/sts-client-defaultStsRoleAssumers.ts b/codegen/smithy-aws-typescript-codegen/src/main/resources/software/amazon/smithy/aws/typescript/codegen/sts-client-defaultStsRoleAssumers.ts
index 69a2d0019161..a430cc029179 100644
--- a/codegen/smithy-aws-typescript-codegen/src/main/resources/software/amazon/smithy/aws/typescript/codegen/sts-client-defaultStsRoleAssumers.ts
+++ b/codegen/smithy-aws-typescript-codegen/src/main/resources/software/amazon/smithy/aws/typescript/codegen/sts-client-defaultStsRoleAssumers.ts
@@ -55,7 +55,7 @@ const getAccountIdFromAssumedRoleUser = (assumedRoleUser?: AssumedRoleUser) => {
 /**
  * @internal
  *
- * Default to the parent client region or us-east-1 if no region is specified.
+ * Default to the parent client region, AWS_REGION environment variable, or us-east-1 if no region is specified.
  */
 const resolveRegion = async (
   _region: string | Provider<string> | undefined,
@@ -64,15 +64,17 @@ const resolveRegion = async (
 ): Promise<string> => {
   const region: string | undefined = typeof _region === "function" ? await _region() : _region;
   const parentRegion: string | undefined = typeof _parentRegion === "function" ? await _parentRegion() : _parentRegion;
+  const envRegion = process.env.AWS_REGION || process.env.AWS_DEFAULT_REGION;
 
   credentialProviderLogger?.debug?.(
     "@aws-sdk/client-sts::resolveRegion",
     "accepting first of:",
     `${region} (provider)`,
     `${parentRegion} (parent client)`,
+    `${envRegion} (environment)`,
     `${ASSUME_ROLE_DEFAULT_REGION} (STS default)`
   );
-  return region ?? parentRegion ?? ASSUME_ROLE_DEFAULT_REGION;
+  return region ?? parentRegion ?? envRegion ?? ASSUME_ROLE_DEFAULT_REGION;
 };
 
 /**
diff --git a/packages/nested-clients/src/submodules/sts/defaultStsRoleAssumers.ts b/packages/nested-clients/src/submodules/sts/defaultStsRoleAssumers.ts
index bb7e08de7d18..79ce9cea75db 100644
--- a/packages/nested-clients/src/submodules/sts/defaultStsRoleAssumers.ts
+++ b/packages/nested-clients/src/submodules/sts/defaultStsRoleAssumers.ts
@@ -58,7 +58,7 @@ const getAccountIdFromAssumedRoleUser = (assumedRoleUser?: AssumedRoleUser) => {
 /**
  * @internal
  *
- * Default to the parent client region or us-east-1 if no region is specified.
+ * Default to the parent client region, AWS_REGION environment variable, or us-east-1 if no region is specified.
  */
 const resolveRegion = async (
   _region: string | Provider<string> | undefined,
@@ -67,15 +67,17 @@ const resolveRegion = async (
 ): Promise<string> => {
   const region: string | undefined = typeof _region === "function" ? await _region() : _region;
   const parentRegion: string | undefined = typeof _parentRegion === "function" ? await _parentRegion() : _parentRegion;
+  const envRegion = process.env.AWS_REGION || process.env.AWS_DEFAULT_REGION;
 
   credentialProviderLogger?.debug?.(
     "@aws-sdk/client-sts::resolveRegion",
     "accepting first of:",
     `${region} (provider)`,
     `${parentRegion} (parent client)`,
+    `${envRegion} (environment)`,
     `${ASSUME_ROLE_DEFAULT_REGION} (STS default)`
   );
-  return region ?? parentRegion ?? ASSUME_ROLE_DEFAULT_REGION;
+  return region ?? parentRegion ?? envRegion ?? ASSUME_ROLE_DEFAULT_REGION;
 };
 
 /**