-
Notifications
You must be signed in to change notification settings - Fork 656
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SSO default endpoint resolver V2 returns incorrect endpoints #2336
Comments
Hi @gdavison, If certain endpoints are not specified by the service team, the SDK endpoint resolution scheme will apply some default endpoint resolution logic to try and form endpoints based on the endpoints rule. We generate these endpoints for forward compatibility reasons so that new regions "will just work" when rolled out from the service side. The reason SSO FIPS on govcloud regions was broken in the past, was that these endpoints were never defined in the first place. The SDK uses the same resolution scheme to form the projected FIPS endpoint. When this was reported in #2166 , I had to reach out to the SSO service team internally, and they rolled out those FIPS endpoints on their end, making the SDK code "just work" without any additional release on our side. In other words, these endpoints are likely not broken, they simply do not exist and the SDK generates these endpoints as a projection. If you have a specific endpoint that is broken but documented as supported please let me know and I can upstream it again to the SSO team. Thanks! |
My concern is that the endpoint resolved returned by Both
Since this global setting can create an AWS configuration that doesn't work for many services, I would expect it to either:
In the current situation, either we or our users need to know which services support FIPS and/or DualStack in which region, whereas AWS service teams already have that knowledge and can encode it in the SDK. |
I did some further checking with the AWS CLI, and it exhibits the same problem: if a service does not support FIPS, it will try to use an endpoint that doesn't exist. Since this behaviour is consistent across all AWS tooling and isn't specific to the Go SDK, I'll close this issue. |
|
Describe the bug
In the AWS partition, the endpoint resolver returns incorrect endpoints for FIPS, Dual Stack, and FIPS with Dual Stack endpoints.
In the US GovCloud partition, the FIPS endpoints are correct, but the Dual Stack and FIPS with Dual Stack endpoints are incorrect.
The FIPS endpoints in GovCloud appear to have been fixed related to #2166
Expected Behavior
The endpoints returned should be correct
Current Behavior
In all of the cases listed as incorrect, the endpoints returned cannot be resolved using
nslookup
or Go'snet.LookupIP()
Reproduction Steps
Possible Solution
No response
Additional Information/Context
Running the test gives
AWS Go SDK V2 Module Versions Used
github.com/aws/aws-sdk-go-v2 v1.21.2
github.com/aws/aws-sdk-go-v2/service/sso v1.15.2
Compiler and Version used
go version go1.21.0 darwin/arm64
Operating System and version
macOS 13.4.1
The text was updated successfully, but these errors were encountered: