search

boto / botocore

The low-level, core functionality of boto3 and the AWS CLI.
Apache License 2.0
1.49k stars 1.09k forks source link

Incorrect appconfigdata endpoint for FIPS in us-gov regions #3072

Closed kob-aha closed 10 months ago

kob-aha commented 10 months ago

Describe the bug

Using Boto for calling 'appconfigdata' while setting AWS_USE_FIPS_ENDPOINT=true fails as it tries to access 'https://appconfigdata-fips.us-gov-west-1.amazonaws.com' which does not exist.

The same happens when using AWS CLI.

Expected Behavior

When enabling FIPS with AWS_USE_FIPS_ENDPOINT=true, Boto should use the correct endpoint ('https://appconfigdata.us-gov-west-1.amazonaws.com')

Current Behavior

File ".venv/lib/python3.8/site-packages/botocore/client.py", line 535, in _api_call
    return self._make_api_call(operation_name, kwargs)
  File ".venv/lib/python3.8/site-packages/botocore/client.py", line 963, in _make_api_call
    http, parsed_response = self._make_request(
  File ".venv/lib/python3.8/site-packages/botocore/client.py", line 989, in _make_request
    return self._endpoint.make_request(operation_model, request_dict)
  File ".venv/lib/python3.8/site-packages/botocore/endpoint.py", line 119, in make_request
    return self._send_request(request_dict, operation_model)
  File ".venv/lib/python3.8/site-packages/botocore/endpoint.py", line 202, in _send_request
    while self._needs_retry(
  File ".venv/lib/python3.8/site-packages/botocore/endpoint.py", line 354, in _needs_retry
    responses = self._event_emitter.emit(
  File ".venv/lib/python3.8/site-packages/botocore/hooks.py", line 412, in emit
    return self._emitter.emit(aliased_event_name, **kwargs)
  File ".venv/lib/python3.8/site-packages/botocore/hooks.py", line 256, in emit
    return self._emit(event_name, kwargs)
  File ".venv/lib/python3.8/site-packages/botocore/hooks.py", line 239, in _emit
    response = handler(**kwargs)
  File ".venv/lib/python3.8/site-packages/botocore/retryhandler.py", line 207, in __call__
    if self._checker(**checker_kwargs):
  File ".venv/lib/python3.8/site-packages/botocore/retryhandler.py", line 284, in __call__
    should_retry = self._should_retry(
  File ".venv/lib/python3.8/site-packages/botocore/retryhandler.py", line 320, in _should_retry
    return self._checker(attempt_number, response, caught_exception)
  File ".venv/lib/python3.8/site-packages/botocore/retryhandler.py", line 363, in __call__
    checker_response = checker(
  File ".venv/lib/python3.8/site-packages/botocore/retryhandler.py", line 247, in __call__
    return self._check_caught_exception(
  File ".venv/lib/python3.8/site-packages/botocore/retryhandler.py", line 416, in _check_caught_exception
    raise caught_exception
  File ".venv/lib/python3.8/site-packages/botocore/endpoint.py", line 281, in _do_get_response
    http_response = self._send(request)
  File ".venv/lib/python3.8/site-packages/botocore/endpoint.py", line 377, in _send
    return self.http_session.send(request)
  File ".venv/lib/python3.8/site-packages/botocore/httpsession.py", line 493, in send
    raise EndpointConnectionError(endpoint_url=request.url, error=e)
botocore.exceptions.EndpointConnectionError: Could not connect to the endpoint URL: "https://appconfigdata-fips.us-gov-west-1.amazonaws.com/configurationsessions"

Reproduction Steps

Run the following while connecting to GovCloud account:

import os

import boto3
from botocore.config import Config

os.environ['AWS_USE_FIPS_ENDPOINT'] = 'true'

sdk_options = {
    'ApplicationIdentifier': 'APP_ID',
    'ConfigurationProfileIdentifier': 'CONF_PROFILE_ID',
    'EnvironmentIdentifier': 'ENV_ID'
}
sdk_config = Config(region_name='us-gov-west-1')
client = boto3.client('appconfigdata', config=sdk_config)

client.start_configuration_session(**sdk_options)

Possible Solution

No response

Additional Information/Context

No response

SDK version used

1.32.5

Environment details (OS name and version, etc.)

MacOS 14.1.1

tim-finnigan commented 10 months ago

Hi @kob-aha thanks for reaching out. The AppConfigData service does not have endpoints documented on this page: https://aws.amazon.com/compliance/fips/#FIPS_Endpoints_by_Service. However, AppConfig does have these endpoints on that page:

But in the AppConfig User Guide, the AppConfigData endpoints are documented as well: https://docs.aws.amazon.com/general/latest/gr/appconfig.html

So while both services have GovCloud endpoints, neither one follows the newer format: <service>-fips.<region>.<domain suffix>. The endpoint ruleset file points to the correctly formatted endpoint. So the next step here is for the AppConfig/AppConfigData team to support the https://appconfigdata-fips.* endpoints. I found that there is already an internal work item for them to correct the endpoint naming convention. If you have an AWS Support plan then we recommend reaching out through support for any updates related to this.

In the meantime you can specify the endpoint_url manually, for example: 

client = boto3.client('appconfigdata', endpoint_url='https://appconfigdata.us-gov-west-1.amazonaws.com')

I hope that helps. Thanks again for raising this issue. Since this needs to be addressed by the service team, I will close the issue here, but if you have any follow up questions please let us know.

github-actions[bot] commented 10 months ago

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.