From f7c7633cc226d65fb3ed0a996750a38105d2aa28 Mon Sep 17 00:00:00 2001
From: kpcraig <3031348+kpcraig@users.noreply.github.com>
Date: Fri, 30 May 2025 16:11:35 -0400
Subject: [PATCH] Update STS known issue into important-changes and
 release-notes (#30766)

---
 .../docs/updates/important-changes.mdx        | 26 +++++++++++++++++++
 .../content/docs/updates/release-notes.mdx    |  1 +
 2 files changed, 27 insertions(+)

diff --git a/website/content/docs/updates/important-changes.mdx b/website/content/docs/updates/important-changes.mdx
index a642520a14..43337db26a 100644
--- a/website/content/docs/updates/important-changes.mdx
+++ b/website/content/docs/updates/important-changes.mdx
@@ -352,3 +352,29 @@ similar to the following folder structure for
 Alternatively, upgrade to one of the following Vault versions: 1.16.21+, 1.17.17+,
 1.18.10+, 1.19.4+. See [Register external plugins](/vault/docs/plugins/register)
 for more details.
+
+## AWS STS configuration can fail if STS endpoints are unspecified ((#aws-fallback-sts))
+
+| Change | Affected version | Affected deployments
+| ------ | ---------------- | --------------------
+| Bug    | 1.19.0-1.19.3    | any
+
+When configuring an sts endpoint in the AWS Secrets engine, or when upgrading Vault with such an endpoint,
+if no sts_endpoint is set, the engine will return an error stating that the number of endpoints and regions do not match:
+
+```
+{"errors":["number of regions does not match number of endpoints"]}
+```
+
+### Recommendation
+
+Explicitly set the default endpoint and region when configuring sts:
+
+```
+{
+...
+  sts_region = "us-east-1"
+  sts_endpoint = "https://sts.amazonaws.com"
+...
+}
+```
diff --git a/website/content/docs/updates/release-notes.mdx b/website/content/docs/updates/release-notes.mdx
index 2d9c357569..f59e4b0514 100644
--- a/website/content/docs/updates/release-notes.mdx
+++ b/website/content/docs/updates/release-notes.mdx
@@ -40,6 +40,7 @@ description: >-
 | Known issue     | 1.19.x                         | [Automated rotation stops after unseal](/vault/docs/updates/important-changes#rotation-stops)
 | Known issue     | 1.19.x, 1.18.x, 1.17.x, 1.16.x | [Azure Auth fails to authenticate Uniform VMSS instances](/vault/docs/updates/important-changes#azure-vmss)
 | Known issue     | 1.19.x, 1.18.x, 1.17.x, 1.16.x | [External Vault Enterprise plugins can't run on a standby node when it becomes active](/vault/docs/updates/important-changes#external-enterprise-plugins)
+| Known issue     | 1.19.x                         | [AWS STS secrets can fail if STS endpoints are unspecified](/vault/docs/updates/important-changes#aws-fallback-sts)
 | Breaking        | 1.20.x                         | [`disable_mlock` required for integrated storage](/vault/docs/updates/important-changes#disable_mlock-config)
 
 ## Feature deprecations and EOL