You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The ultimate issue I'm raising is that I am unable to use FIPS endpoints for s3 while also utilizing sso as my authentication method.
Expected Behavior
I'd expect one of the methods that I tried to allow SSO authentication while seamlessly being able to utilize s3's FIPS endpoints.
Current Behavior
Setting the AWS_USE_FIPS_ENDPOINT env variable to true, causes authentication attempts to use an SSO URL that does not exist. Same thing occurs if you set the use_fips_endpoint option in the aws config file.
$ export AWS_USE_FIPS_ENDPOINT=true
$ aws sso login --profile <profile>
Could not connect to the endpoint URL: "https://oidc-fips.<region>.amazonaws.com/device_authorization"
This happens because there is no FIPS endpoint for SSO (in fact, the sso FIPS endpoints for govcloud do not use any FIPS identifiers in their FQDNs), you're intended to use the non-FIPS endpoint for SSO and then utilize the FIPS endpoint for the specific service you are attempting to access. This previous statement would be fine if I was able to provide service specific settings for FIPS, but that also does not work. I.e. using this setting in the aws config file.
s3 =
use_fips_endpoint = true
This setting is completely ignored when using s3 from the cli.
The s3 CLI expects a non-virtual host-style address in the --endpoint-url and is expecting the bucket name to be passed as a separate parameter:
aws s3 ls <bucket-name> --profile <profile> --endpoint-url https://s3-fips.<region>.amazonaws.com
However, FIPS doesn't support https://s3-fips.<region>.amazonaws.com, which causes the above command to fail.
$ aws s3 ls <bucket-name> --profile <profile> --endpoint-url https://s3-fips.<region>.amazonaws.com
Could not connect to the endpoint URL: "https://s3-fips.<region>.amazonaws.com/<bucket-name>?list-type=2&prefix=&delimiter=%2F&encoding-type=url"
Because FIPS requires Virtual Host-Style addressing, it would only support this type of command line:
aws s3 ls --profile <profile> --endpoint-url https://<bucket-name>.s3-fips.us-east-1.amazonaws.com
Which does authenticate successfully, but the CLI program is expecting it to return a Bucket property (assuming because its expecting the --endpoint-url parameter to point to a URL that would have provided a listing of buckets, but the only supported FIPS endpoint is the bucket specific address)
aws s3 ls <bucket-name> --profile <profile> --endpoint-url https://<bucket-name>.s3-fips.<region>.amazonaws.com
'Buckets'
With the --debug option on, you can see that the 'Buckets' string being returned is actually an error for the key Buckets.
2024-05-13 10:08:54,289 - MainThread - botocore.hooks - DEBUG - Event needs-retry.s3.ListBuckets: calling handler <bound method RetryHandler.needs_retry of <botocore.retries.standard.RetryHandler object at 0x7475a09fdd90>>
2024-05-13 10:08:54,289 - MainThread - botocore.retries.standard - DEBUG - Not retrying request.
2024-05-13 10:08:54,289 - MainThread - botocore.hooks - DEBUG - Event needs-retry.s3.ListBuckets: calling handler <bound method S3RegionRedirectorv2.redirect_from_error of <botocore.utils.S3RegionRedirectorv2 object at 0x7475a09fd150>>
2024-05-13 10:08:54,289 - MainThread - botocore.hooks - DEBUG - Event after-call.s3.ListBuckets: calling handler <function enhance_error_msg at 0x7475a3313ec0>
2024-05-13 10:08:54,289 - MainThread - botocore.hooks - DEBUG - Event after-call.s3.ListBuckets: calling handler <bound method RetryQuotaChecker.release_retry_quota of <botocore.retries.standard.RetryQuotaChecker object at 0x7475a09f19d0>>
2024-05-13 10:08:54,290 - MainThread - awscli.clidriver - DEBUG - Exception caught in main()
Traceback (most recent call last):
File "awscli/clidriver.py", line 460, in main
File "awscli/customizations/commands.py", line 151, in __call__
File "awscli/customizations/commands.py", line 205, in __call__
File "awscli/customizations/s3/subcommands.py", line 528, in _run_main
File "awscli/customizations/s3/subcommands.py", line 594, in _list_all_buckets
KeyError: 'Buckets'
'Buckets'
The final option is to manually set the FIPS settings AWS_USE_FIPS_ENDPOINT (remove the setting to SSO and then add the setting back when using s3 commands, however, during a substantially long file transfer, SSO token will need to be refreshed, and will attempt to utilize FIPS endpoint for the refresh and fails.
Thanks for reaching out. I'm going to transfer this to our cross-SDK repository and reach out to the Identity Center team regarding this issue (ref: V1211727651), since they would need to provide support for the FIPS endpoint. I'll share any updates here in this issue.
Describe the bug
The ultimate issue I'm raising is that I am unable to use FIPS endpoints for s3 while also utilizing sso as my authentication method.
Expected Behavior
I'd expect one of the methods that I tried to allow SSO authentication while seamlessly being able to utilize s3's FIPS endpoints.
Current Behavior
Setting the
AWS_USE_FIPS_ENDPOINT
env variable to true, causes authentication attempts to use an SSO URL that does not exist. Same thing occurs if you set theuse_fips_endpoint
option in the awsconfig
file.This happens because there is no FIPS endpoint for SSO (in fact, the sso FIPS endpoints for govcloud do not use any FIPS identifiers in their FQDNs), you're intended to use the non-FIPS endpoint for SSO and then utilize the FIPS endpoint for the specific service you are attempting to access. This previous statement would be fine if I was able to provide service specific settings for FIPS, but that also does not work. I.e. using this setting in the aws
config
file.This setting is completely ignored when using s3 from the cli.
Attempts to utilize the endpoint override option
--endpoint-url
is unsuccessful, because s3 FIPS endpoints require the Virtual Host-Style addressingThe s3 CLI expects a non-virtual host-style address in the
--endpoint-url
and is expecting the bucket name to be passed as a separate parameter:However, FIPS doesn't support
https://s3-fips.<region>.amazonaws.com
, which causes the above command to fail.Because FIPS requires Virtual Host-Style addressing, it would only support this type of command line:
Which does authenticate successfully, but the CLI program is expecting it to return a
Bucket
property (assuming because its expecting the--endpoint-url
parameter to point to a URL that would have provided a listing of buckets, but the only supported FIPS endpoint is the bucket specific address)With the
--debug
option on, you can see that the'Buckets'
string being returned is actually an error for the keyBuckets
.The final option is to manually set the FIPS settings
AWS_USE_FIPS_ENDPOINT
(remove the setting to SSO and then add the setting back when using s3 commands, however, during a substantially long file transfer, SSO token will need to be refreshed, and will attempt to utilize FIPS endpoint for the refresh and fails.Reproduction Steps
Failing SSO auth
config
file.Ignoring s3
use_fips_endpoint
optionconfig
file with the following settings.Specifying
--endpoint-url
parameterThis will fail because s3 fips only supports Virtual host-address in the URL.
Specifying the virtual host-name address (as required by FIPS) will fail with
Buckets
output. (utilize--debug
to see the stack trace.)Possible Solution
Some possible solutions:
AWS_USE_FIPS_ENDPOINT
oruse_fips_endpoint
global options are set.config
file.--endpoint-url
to handle Virtual Host-Only addresses to accommodate the FIPS limitation.Additional Information/Context
No response
CLI version used
aws-cli/2.15.37 Python/3.11.8 Linux/6.5.0-9021-oem exe/x86_64.ubuntu.22 prompt/off
Environment details (OS name and version, etc.)
Ubuntu with Linux 6.5.0 x86_64
The text was updated successfully, but these errors were encountered: