Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CLI is using the wrong FIPS endpoint for resource groups tagging API #9081

Open
1 task
markdboyd opened this issue Nov 18, 2024 · 5 comments
Open
1 task

CLI is using the wrong FIPS endpoint for resource groups tagging API #9081

markdboyd opened this issue Nov 18, 2024 · 5 comments
Assignees
@RyanFitzSimmonsAK
Labels
bug This issue is a bug. p2 This is a standard priority issue resourcegroupstaggingapi response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days.

Comments

@markdboyd
Copy link

Describe the bug

When trying to use the aws resourcegroupstaggingapi service from the CLI with use_fips_endpoint = true in my AWS config, I'm getting this error:

Could not connect to the endpoint URL: "https://tagging-fips.us-gov-west-1.amazonaws.com/"

This error makes sense because indeed that endpoint does not exist. There is no specific FIPS endpoint for the tagging service, so the actual endpoint should be https://tagging.us-gov-west-1.amazonaws.com/.

Somehow the CLI is configured to use the wrong endpoint when running in FIPS mode.

Regression Issue

  • Select this option if this issue appears to be a regression.

Expected Behavior

There should be no endpoint errors when trying to run aws resourcegroupstaggingapi commands

Current Behavior

Got this error when trying to run aws resourcegroupstaggingapi commands:

Could not connect to the endpoint URL: "https://tagging-fips.us-gov-west-1.amazonaws.com/"

Reproduction Steps

  1. Configure the AWS CLI to use FIPS endpoints.
  2. Run a command like aws resourcegroupstaggingapi get-resources

Possible Solution

No response

Additional Information/Context

No response

CLI version used

2.21.3

Environment details (OS name and version, etc.)

Mac OS Sonoma 14.7.1
@markdboyd markdboyd added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Nov 18, 2024
@RyanFitzSimmonsAK RyanFitzSimmonsAK self-assigned this Nov 18, 2024
@RyanFitzSimmonsAK RyanFitzSimmonsAK added resourcegroupstaggingapi p2 This is a standard priority issue needs-review This issue or pull request needs review from a core team member. and removed needs-triage This issue or PR still needs to be triaged. labels Nov 18, 2024
@RyanFitzSimmonsAK
Copy link
Contributor

Hi @markdboyd, thanks for reaching out. This behavior is documented (https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-endpoints.html).

If this setting is enabled, but a FIPS endpoint does not exist for the service in your AWS Region, the AWS command may fail. In this case, manually specify the endpoint to use in the command using the --endpoint-url option or use service-specific endpoints.

Additionally, the expected behavior you described of defaulting to a GovCloud endpoint if a FIPS endpoint doesn't exist isn't something we support. Please let me know if you have any follow-up questions.

@RyanFitzSimmonsAK RyanFitzSimmonsAK added response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. and removed needs-review This issue or pull request needs review from a core team member. labels Nov 19, 2024
@markdboyd
Copy link
Author

@RyanFitzSimmonsAK Thanks for responding. I can see that this behavior is documented as you say.

Is there a reason that the CLI cannot or will not be updated to only use FIPS endpoints when they're available rather than failing when a FIPS endpoint does not exist?

@github-actions github-actions bot removed the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Nov 19, 2024
@markdboyd
Copy link
Author

Would it be better to report this issue on https://github.com/boto/botocore since I assume that is where the relevant code lives?

@markdboyd
Copy link
Author

To be even more precise, could the issue be resolved by changing this configuration to use the non-FIPS endpoints?

https://github.com/boto/botocore/blob/develop/botocore/data/resourcegroupstaggingapi/2017-01-26/endpoint-rule-set-1.json#L176

@RyanFitzSimmonsAK
Copy link
Contributor

Is there a reason that the CLI cannot or will not be updated to only use FIPS endpoints when they're available rather than failing when a FIPS endpoint does not exist?

This is definitely a breaking change, and also presents security and compliance concerns if users could end up using a non-FIPS endpoint when they want to be using one.

Given that this is documented and intentional, it's not really a bug. If you have a specific feature request that you think would make this behavior easier to use or more intuitive, I encourage you to open a feature request in this repository.

@RyanFitzSimmonsAK RyanFitzSimmonsAK added the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Nov 21, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@RyanFitzSimmonsAK RyanFitzSimmonsAK

Labels
bug This issue is a bug. p2 This is a standard priority issue resourcegroupstaggingapi response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@markdboyd @RyanFitzSimmonsAK