aws / git-remote-codecommit

An implementation of Git Remote Helper that makes it easier to interact with AWS CodeCommit
Apache License 2.0
272 stars 39 forks source link

Use FIPS endpoints when defined in ~/.aws/config or AWS_USE_FIPS_ENDPOINT environment variable #45

Open sdickman-manh opened 1 year ago

sdickman-manh commented 1 year ago

To simplify the use of FIPS endpoints I recommend that git-remote-codecommit use the same mechanisms as the AWS SDKs:

https://docs.aws.amazon.com/general/latest/gr/rande.html#FIPS-endpoints

To specify a FIPS endpoint when you call an AWS operation, use a mechanism provided by the tool that you're using to make the call. For example, the AWS SDKs provide the following mechanisms to enable the use of FIPS endpoints:

  • Set the AWS_USE_FIPS_ENDPOINT environment variable to true
  • Add use_fips_endpoint=true to your ~/.aws/config file

We currently use the undocumented environment variable CODE_COMMIT_ENDPOINT to do this. But would prefer that the AWS_USE_FIPS_ENDPOINT apply here also.

sdickman-manh commented 1 year ago

I did a quick test by changing line 204 and it successfully polled AWS_USE_FIPS_ENDPOINT and used the FIPS endpoint. But I suspect there is a cleaner way to leverage botocore to generate the appropriate URL.

https://github.com/aws/git-remote-codecommit/blob/master/git_remote_codecommit/__init__.py#L204

  if "AWS_USE_FIPS_ENDPOINT" in os.environ and os.environ["AWS_USE_FIPS_ENDPOINT"] == "true":
    endpoint="git-codecommit-fips"
  else:
    endpoint="git-codecommit"

  hostname = os.environ.get('CODE_COMMIT_ENDPOINT', '{}.{}.{}'.format(endpoint, region, website_domain_mapping(region)))