Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

redshift aws-us-gov partition fips endpoint doesn't work #4797

Open
michaeldop opened this issue Apr 13, 2023 · 6 comments
Open

redshift aws-us-gov partition fips endpoint doesn't work #4797

michaeldop opened this issue Apr 13, 2023 · 6 comments
Assignees
@RanVaknin
Labels
bug This issue is a bug. p3 This is a minor priority issue workaround-available

Comments

@michaeldop
Copy link

Describe the bug

when setting UseFIPSEndpoint to true I cannot use the redshift client in the aws-us-gov partition.

Expected Behavior

The redshift client works with UseFIPSEndpoint in aws-us-gov partition

Current Behavior

The host is incorrect need to drop the -fips

failed to describe clusters RequestError: send request failed
caused by: Post "https://redshift-fips.us-gov-west-1.amazonaws.com/": dial tcp: lookup redshift-fips.us-gov-west-1.amazonaws.com: no such host

Reproduction Steps

import (
	"fmt"

	"github.com/aws/aws-sdk-go/aws"
	"github.com/aws/aws-sdk-go/aws/endpoints"
	"github.com/aws/aws-sdk-go/aws/session"
	"github.com/aws/aws-sdk-go/service/redshift"
)


func main() {
	// Resolve the region's endpoint directly
	endpoint, err := endpoints.DefaultResolver().EndpointFor(redshift.EndpointsID, endpoints.UsGovWest1RegionID, endpoints.UseFIPSEndpointOption)
	if err != nil {
		fmt.Println("failed to get endpoint", err)
	}
	fmt.Println("Redshift Resolved Endpoint:", endpoint.URL, "Region:", endpoint.SigningRegion)

	// Create a session and service client configured for the region.
	sess := session.Must(session.NewSession(&aws.Config{
		Region:          aws.String(endpoints.UsGovWest1RegionID),
		UseFIPSEndpoint: endpoints.FIPSEndpointStateEnabled,
	}))

	// test redshift
	svc := redshift.New(sess)
	fmt.Println("Redshift Client Endpoint:", svc.ClientInfo.Endpoint, "Region:", svc.ClientInfo.SigningRegion)

	_, err = svc.DescribeClusters(&redshift.DescribeClustersInput{})
	if err != nil {
		fmt.Println("failed to describe clusters", err)
	}

	// test application-autoscaling, autoscaling-plans
}

Possible Solution

No response

Additional Information/Context

No response

SDK version used

v1.44.241

Environment details (Version of Go (go version)? OS name and version, etc.)

go version go1.20.2 darwin/amd64
@michaeldop michaeldop added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Apr 13, 2023
@jmklix
Copy link
Member

jmklix commented Apr 13, 2023
edited

Thanks for pointing this out. We are in the process of getting these endpoints updated, but this requires changes to the services. This might take a while so please use this workaround while waiting for this to be updated. You can find the correct endpoints here:

	sess := session.Must(session.NewSession(&aws.Config{
		Region:         aws.String(endpoints.UsGovWest1RegionID),
		Endpoint:       aws.String("https://redshift.us-gov-west-1.amazonaws.com")
	}))

@jmklix jmklix added p3 This is a minor priority issue workaround-available and removed needs-triage This issue or PR still needs to be triaged. labels Apr 13, 2023
@mebays
Copy link

mebays commented May 4, 2023

Is there a record on how many of these endpoints are incorrect? In my case there are multiple applications using the sdk-go library (some of them are kubernetes core service related) where I don't modify the code. Running in gov cloud it has been suggested to use all fips endpoints, but seeing AWS_USE_FIPS_ENDPOINT=true can be problematic if the endpoints aren't correct. I see the same issue within the terraform-aws-provider but that could be their version of the SDK. Any updates on when this may get fixed not as a workaround.

@RanVaknin
Copy link
Contributor

Hi,

This issue has been brought up multiple times. We have identified about 20 services that were impacted, and almost all of them have pushed a fix. I believe that Redshift and SSO are the only two remaining services that have not pushed a fix yet but this is a work in progress (this is solved upstream with the service team itself, not on the SDK level)

Right now you can use the workaround mentioned by @jmklix , or upgrade to v2 which doesnt rely on the same endpoint resolution logic and is not impacted.

Im going to keep this issue open until we get Redshift sorted out.

Thanks,
Ran~

@RanVaknin RanVaknin mentioned this issue Jul 3, 2023
Closed
@lorengordon
Copy link

@RanVaknin Is there a similar tracking issue for the SSO endpoint resolution? There's an open issue on terraform where folks are reporting several of the other impacted services, also:

  • appautoscaling
  • cloudfront
  • cloudformation
  • kinesis
  • ram
  • resourcegroupstaggingapi
  • route53resolver
  • servicequotas
  • sns
  • waf

@IvanLaktyunkin
Copy link

Hit same issue with ec2-fips.us-gov-west-1.amazonaws.com :(

@RanVaknin
Copy link
Contributor

Hi all,

The only 2 remaining services that have not fixed their FIPS configuration is SSO and Redshift.

If you need help mitigating this you can file a support ticket using the AWS console and ask for an escalation. Currently this is not actionable by the SDK team.

You can also consider upgrading to Go SDK v2 which uses a different endpoint resolution scheme altogether.

Thanks,
Ran

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@RanVaknin RanVaknin

Labels
bug This issue is a bug. p3 This is a minor priority issue workaround-available
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@jmklix @lorengordon @mebays @IvanLaktyunkin @RanVaknin @michaeldop