search

aws / aws-cli

Universal Command Line Interface for Amazon Web Services
Other
15.09k stars 4.01k forks source link

`AWS_USE_FIPS_ENDPOINT` should handle non-existing fips endpoints #8750

Closed CharmanderJieniJieni closed 1 week ago

CharmanderJieniJieni commented 2 weeks ago

Describe the bug

We have AWS_USE_FIPS_ENDPOINT enabled and noticed that if we are making aws cli calls to regions which does not support fips service endpoint, AWS CLI still tries to append -fips in the api call which ends up with DNS resolving error.

Expected Behavior

For example, If I enable AWS_USE_FIPS_ENDPOINT and then do a aws s3 ls --region ap-southeast-1. The API call should redirect to "https://s3.ap-southeast-1.amazonaws.com/" since FIPs service endpoint is not in this region

Current Behavior

Currently will get below error

"https://s3-fips.ap-southeast-1.amazonaws.com/": dial tcp: lookup s3-fips.ap-southeast-1.amazonaws.com on 127.0.0.53:53: no such host

Reproduction Steps

  1. Enable AWS_USE_FIPS_ENDPOINT
  2. aws s3 ls --region ap-southeast-1

Possible Solution

No response

Additional Information/Context

No response

CLI version used

2.16.9

Environment details (OS name and version, etc.)

Ubuntu 20

tim-finnigan commented 1 week ago

Thanks for reaching out. Here are the currently supported FIPS endpoints for reference: https://aws.amazon.com/compliance/fips/. The AWS CLI is working as intended here and resolving to the correct endpoint when AWS_USE_FIPS_ENDPOINT is set. There are not plans to support a redirect for non-FIPS supported regions. You can manually specify the endpoint URL if necessary by using aws s3 ls --endpoint-url https://s3.ap-southeast-1.amazonaws.com

github-actions[bot] commented 1 week ago

This issue is now closed. Comments on closed issues are hard for our team to see. If you need more assistance, please open a new issue that references this one.