Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cannot use FIPS s3 endpoints while using SSO. #9026

Open
fr4gment opened this issue May 13, 2024 · 4 comments
Open

Cannot use FIPS s3 endpoints while using SSO. #9026

fr4gment opened this issue May 13, 2024 · 4 comments
Labels
bug This issue is a bug. p2 This is a standard priority issue service-api This issue is due to a problem in a service API, not the SDK implementation. sso

Comments

@fr4gment
Copy link

Describe the bug

The ultimate issue I'm raising is that I am unable to use FIPS endpoints for s3 while also utilizing sso as my authentication method.

Expected Behavior

I'd expect one of the methods that I tried to allow SSO authentication while seamlessly being able to utilize s3's FIPS endpoints.

Current Behavior

Setting the AWS_USE_FIPS_ENDPOINT env variable to true, causes authentication attempts to use an SSO URL that does not exist. Same thing occurs if you set the use_fips_endpoint option in the aws config file.

$ export AWS_USE_FIPS_ENDPOINT=true
$ aws sso login --profile <profile>

Could not connect to the endpoint URL: "https://oidc-fips.<region>.amazonaws.com/device_authorization"

This happens because there is no FIPS endpoint for SSO (in fact, the sso FIPS endpoints for govcloud do not use any FIPS identifiers in their FQDNs), you're intended to use the non-FIPS endpoint for SSO and then utilize the FIPS endpoint for the specific service you are attempting to access. This previous statement would be fine if I was able to provide service specific settings for FIPS, but that also does not work. I.e. using this setting in the aws config file.

s3 =
    use_fips_endpoint = true

This setting is completely ignored when using s3 from the cli.

Attempts to utilize the endpoint override option --endpoint-url is unsuccessful, because s3 FIPS endpoints require the Virtual Host-Style addressing

The s3 CLI expects a non-virtual host-style address in the --endpoint-url and is expecting the bucket name to be passed as a separate parameter:

aws s3 ls <bucket-name> --profile <profile> --endpoint-url https://s3-fips.<region>.amazonaws.com

However, FIPS doesn't support https://s3-fips.<region>.amazonaws.com, which causes the above command to fail.

$ aws s3 ls <bucket-name> --profile <profile> --endpoint-url https://s3-fips.<region>.amazonaws.com

Could not connect to the endpoint URL: "https://s3-fips.<region>.amazonaws.com/<bucket-name>?list-type=2&prefix=&delimiter=%2F&encoding-type=url"

Because FIPS requires Virtual Host-Style addressing, it would only support this type of command line:

aws s3 ls --profile <profile> --endpoint-url https://<bucket-name>.s3-fips.us-east-1.amazonaws.com

Which does authenticate successfully, but the CLI program is expecting it to return a Bucket property (assuming because its expecting the --endpoint-url parameter to point to a URL that would have provided a listing of buckets, but the only supported FIPS endpoint is the bucket specific address)

aws s3 ls <bucket-name> --profile <profile> --endpoint-url https://<bucket-name>.s3-fips.<region>.amazonaws.com
'Buckets'

With the --debug option on, you can see that the 'Buckets' string being returned is actually an error for the key Buckets.

2024-05-13 10:08:54,289 - MainThread - botocore.hooks - DEBUG - Event needs-retry.s3.ListBuckets: calling handler <bound method RetryHandler.needs_retry of <botocore.retries.standard.RetryHandler object at 0x7475a09fdd90>>
2024-05-13 10:08:54,289 - MainThread - botocore.retries.standard - DEBUG - Not retrying request.
2024-05-13 10:08:54,289 - MainThread - botocore.hooks - DEBUG - Event needs-retry.s3.ListBuckets: calling handler <bound method S3RegionRedirectorv2.redirect_from_error of <botocore.utils.S3RegionRedirectorv2 object at 0x7475a09fd150>>
2024-05-13 10:08:54,289 - MainThread - botocore.hooks - DEBUG - Event after-call.s3.ListBuckets: calling handler <function enhance_error_msg at 0x7475a3313ec0>
2024-05-13 10:08:54,289 - MainThread - botocore.hooks - DEBUG - Event after-call.s3.ListBuckets: calling handler <bound method RetryQuotaChecker.release_retry_quota of <botocore.retries.standard.RetryQuotaChecker object at 0x7475a09f19d0>>
2024-05-13 10:08:54,290 - MainThread - awscli.clidriver - DEBUG - Exception caught in main()
Traceback (most recent call last):
  File "awscli/clidriver.py", line 460, in main
  File "awscli/customizations/commands.py", line 151, in __call__
  File "awscli/customizations/commands.py", line 205, in __call__
  File "awscli/customizations/s3/subcommands.py", line 528, in _run_main
  File "awscli/customizations/s3/subcommands.py", line 594, in _list_all_buckets
KeyError: 'Buckets'

'Buckets'

The final option is to manually set the FIPS settings AWS_USE_FIPS_ENDPOINT (remove the setting to SSO and then add the setting back when using s3 commands, however, during a substantially long file transfer, SSO token will need to be refreshed, and will attempt to utilize FIPS endpoint for the refresh and fails.

Reproduction Steps

Failing SSO auth

  • replace with a valid profile in your config file.
$ export AWS_USE_FIPS_ENDPOINT=true
$ aws sso login --profile <profile>

Ignoring s3 use_fips_endpoint option

  1. Set your config file with the following settings.
[profile Test]
.
.
.
s3 =
    use_fips_endpoint = true
  1. Run the following commands (ensure --debug is added to see that it does not utilize a fips endpoint)
aws sso login --profile Test
aws s3 ls <bucket-name> --profile Test --debug

Specifying --endpoint-url parameter

This will fail because s3 fips only supports Virtual host-address in the URL.

aws s3 ls <bucket-name> --profile <profile> --endpoint-url https://s3-fips.<region>.amazonaws.com

Specifying the virtual host-name address (as required by FIPS) will fail with Buckets output. (utilize --debug to see the stack trace.)

aws s3 ls --profile <profile> --endpoint-url https://<bucket-name>.s3-fips.us-east-1.amazonaws.com --debug

Possible Solution

Some possible solutions:

  • Don't assume a FIPS endpoint for SSO when AWS_USE_FIPS_ENDPOINT or use_fips_endpoint global options are set.
  • Allow SSO specific settings to override FIPS global setting.
  • Allow S3 to utilize a FIPS specific option in the aws config file.
  • Allow --endpoint-url to handle Virtual Host-Only addresses to accommodate the FIPS limitation.

Additional Information/Context

No response

CLI version used

aws-cli/2.15.37 Python/3.11.8 Linux/6.5.0-9021-oem exe/x86_64.ubuntu.22 prompt/off

Environment details (OS name and version, etc.)

Ubuntu with Linux 6.5.0 x86_64

@fr4gment fr4gment added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels May 13, 2024
@tim-finnigan tim-finnigan self-assigned this May 20, 2024
@tim-finnigan tim-finnigan added the investigating This issue is being investigated and/or work is in progress to resolve the issue. label May 20, 2024
@tim-finnigan
Copy link
Contributor

tim-finnigan commented May 20, 2024

Thanks for reaching out. I'm going to transfer this to our cross-SDK repository and reach out to the Identity Center team regarding this issue (ref: V1211727651), since they would need to provide support for the FIPS endpoint. I'll share any updates here in this issue.

@tim-finnigan tim-finnigan removed investigating This issue is being investigated and/or work is in progress to resolve the issue. needs-triage This issue or PR still needs to be triaged. labels May 20, 2024
@tim-finnigan tim-finnigan transferred this issue from aws/aws-cli May 20, 2024
@tim-finnigan tim-finnigan added service-api This issue is due to a problem in a service API, not the SDK implementation. sso labels May 20, 2024
@fr4gment
Copy link
Author

hi @tim-finnigan , any update you are able to provide on this issue?

@tim-finnigan
Copy link
Contributor

I confirmed that the SSO team has a backlog item to support the FIPS endpoint https://oidc-fips.us-gov-west-1.amazonaws.com/. The CLI/SDKs rules are expecting the the endpoint to look like that, so the SSO team needs to support that URL. In the meantime have you tried manually specify the endpoint as https://oidc.us-gov-west-1.amazonaws.com/?

@tim-finnigan tim-finnigan added the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Jun 11, 2024
@fr4gment
Copy link
Author

for SSO, you specify a start-url, which (if I understand it correctly) is the login portal/idp. There is no option to override the OIDC endpoint.

@github-actions github-actions bot removed the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Jun 12, 2024
@tim-finnigan tim-finnigan transferred this issue from aws/aws-sdk Oct 30, 2024
@tim-finnigan tim-finnigan added the p2 This is a standard priority issue label Oct 30, 2024
@tim-finnigan tim-finnigan removed their assignment Oct 30, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug This issue is a bug. p2 This is a standard priority issue service-api This issue is due to a problem in a service API, not the SDK implementation. sso
Projects
None yet
Development

No branches or pull requests

2 participants