Incorrect domains with UseFips for govcloud regions

[tmccombs]

Describe the bug

The SDK uses the incorrect domain for some services if you enable using the fips endpoints config.WithUseFIPSEndpoint(aws.UseFIPSEndpointEnabled) in the GovCloud partition

Expected Behavior

If you enable using FIPS endpoints in any region, including in GovCloud, then using the services will use the correct domains for those endpoints.

Current Behavior

If you try to use certain services, then you get an error like this:

22023/06/29 19:25:11 operation error SSO: GetRoleCredentials, https response error StatusCode: 0, RequestID: , request send failed, Get "https://portal.sso-fips.us-gov-west-1.amazonaws.com/federation/credentials?account_id=012345678901&role_name=example": dial tcp: lookup portal.sso-fips.us-gov-west-1.amazonaws.com: no such host
exit status 1

Notice that the error is trying to use portal.sso-fips.us-gov-west-1.amazonaws.com. But that domain does not exist. I think the correct domain is portal.sso.us-gov-west-1.amazonaws.com

See https://aws.amazon.com/compliance/fips/

I suspect there are similar problems for other AWS servces. See Below.

Reproduction Steps

Here is a minimal go program that runs into this problem:

import (
	"context"

	"github.com/aws/aws-sdk-go-v2/aws"
	"github.com/aws/aws-sdk-go-v2/config"
	"github.com/aws/aws-sdk-go-v2/service/sso"
	"log"
)

func main() {
	ctx := context.TODO()
	cfg, err := config.LoadDefaultConfig(ctx, config.WithUseFIPSEndpoint(aws.FIPSEndpointStateEnabled), config.WithRegion("us-gov-west-1"))
	if err != nil {
		log.Fatal(err)
	}

	ssoClient := sso.NewFromConfig(cfg)

	// The details of this request don't really matter, because it can't resolve the domain anyway
	getRoleInput := sso.GetRoleCredentialsInput{
		AccessToken: aws.String("dummy"),
		AccountId:   aws.String("012345678901"),
		RoleName:    aws.String("example"),
	}
	_, err = ssoClient.GetRoleCredentials(ctx, &getRoleInput)
	if err != nil {
		log.Fatal(err)
	}

}

Possible Solution

I think that this is due to bugs in the smithy configuration in sso.json. I'm guessing that file is generated though, and I haven't figured out what the original source is.

Additional Information/Context

This is definitely the cause of hashicorp/terraform-provider-aws#29350.

I strongly suspect that hashicorp/terraform-provider-aws#23619 is also caused by this same issue, or at least a related one, for other services as well.

In particular, for many GovCloud services, the fips endpoint doesn't follow the same pattern as in other regions, because the fips endpoint is just the same as the regular endpoint. That is there is only a fips endpoint in GovCloud for some service.

AWS Go SDK V2 Module Versions Used

require (
github.com/aws/aws-sdk-go-v2 v1.18.1
github.com/aws/aws-sdk-go-v2/service/sso v1.12.12
)

require (
github.com/aws/aws-sdk-go-v2/config v1.18.27 // indirect
github.com/aws/aws-sdk-go-v2/credentials v1.13.26 // indirect
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.4 // indirect
github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.34 // indirect
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.28 // indirect
github.com/aws/aws-sdk-go-v2/internal/ini v1.3.35 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.28 // indirect
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.14.12 // indirect
github.com/aws/aws-sdk-go-v2/service/sts v1.19.2 // indirect
github.com/aws/smithy-go v1.13.5 // indirect
)

Compiler and Version used

go version go1.18 linux/amd64

Operating System and version

Ubuntu 20.04

[RanVaknin]

Hi @tmccombs ,

This issue is an amalgamation of two different problems:

1. The SSO service does not have a non-gov fips endpoints defined.

This means that the SDK wont be able to resolve a valid endpoint, because it doesn't exist in the first place.
See #2138 for more info.

2. The service did not define their endpoint resolution logic rules correctly.
   For example, if you wanted to use gov cloud endpoint with fips, you still cannot do that:

$ go run main.go
SDK 2023/07/03 13:21:48 DEBUG Request
GET /assignment/accounts HTTP/1.1
Host: portal.sso-fips.us-gov-west-1.amazonaws.com // <-- incorrect
User-Agent: aws-sdk-go-v2/1.18.0 os/macos lang/go/1.19.1 md/GOOS/darwin md/GOARCH/arm64 api/sso/1.12.10
Amz-Sdk-Invocation-Id: REDACTED
Amz-Sdk-Request: attempt=1; max=3
X-Amz-Sso_bearer_token: foo
Accept-Encoding: gzip

see related

If you are using gov cloud, as a temporary workaround, you can manually set the endpoint based on the desired service specifications:

type CustomResolver struct{}

func (c CustomResolver) ResolveEndpoint(service string, region string, options ...interface{}) (aws.Endpoint, error) {
	return aws.Endpoint{
		PartitionID:   "aws",
		URL:           "https://sso.us-gov-west-1.amazonaws.com",
		SigningRegion: "us-gov-west-1",
	}, nil
}

func main() {
	cfg, err := config.LoadDefaultConfig(
		context.TODO(),
		config.WithRegion("us-west-1"),
		config.WithEndpointResolverWithOptions(CustomResolver{}),
		config.WithClientLogMode(aws.LogRequestWithBody|aws.LogResponseWithBody),
	)
// more code.
}

Routing to the correct endpoint:

$ go run main.go
SDK 2023/07/03 13:13:01 DEBUG Request
GET /assignment/accounts HTTP/1.1
Host: sso.us-gov-west-1.amazonaws.com
User-Agent: aws-sdk-go-v2/1.18.0 os/macos lang/go/1.19.1 md/GOOS/darwin md/GOARCH/arm64 api/sso/1.12.10
Amz-Sdk-Invocation-Id: REDACTED
Amz-Sdk-Request: attempt=1; max=3
X-Amz-Sso_bearer_token: foo
Accept-Encoding: gzip

Because of [1] you are prevented from onboarding your SSO operations to FIPS.
We have already notified the service team about this issue and they are set to start working on it by the end of the month.
Please stay tuned for updates.

Thanks,
Ran~

[RanVaknin]

Hi @tmccombs,

Thanks for your patience. The issue is now fixed. The sample code would result in a successful DNS resolution:

SDK 2023/10/02 14:35:47 DEBUG Request
GET /federation/credentials?account_id=012345678901&role_name=example HTTP/1.1
Host: portal.sso.us-gov-west-1.amazonaws.com # <-- correct endpoint
User-Agent: aws-sdk-go-v2/1.21.0 os/macos lang/go#1.19.1 md/GOOS#darwin md/GOARCH#arm64 api/sso#1.15.0
Amz-Sdk-Invocation-Id: REDACTED
Amz-Sdk-Request: attempt=1; max=3
X-Amz-Sso_bearer_token: dummy
Accept-Encoding: gzip

All the best,
Ran~

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.