Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSO default endpoint resolver V2 returns incorrect endpoints #2336

Closed
gdavison opened this issue Oct 25, 2023 · 4 comments
Closed

SSO default endpoint resolver V2 returns incorrect endpoints #2336

gdavison opened this issue Oct 25, 2023 · 4 comments
Assignees
@RanVaknin
Labels
bug This issue is a bug. p2 This is a standard priority issue

Comments

@gdavison
Copy link
Contributor

gdavison commented Oct 25, 2023
edited
Loading

Describe the bug

In the AWS partition, the endpoint resolver returns incorrect endpoints for FIPS, Dual Stack, and FIPS with Dual Stack endpoints.

In the US GovCloud partition, the FIPS endpoints are correct, but the Dual Stack and FIPS with Dual Stack endpoints are incorrect.

The FIPS endpoints in GovCloud appear to have been fixed related to #2166

Expected Behavior

The endpoints returned should be correct

Current Behavior

In all of the cases listed as incorrect, the endpoints returned cannot be resolved using nslookup or Go's net.LookupIP()

Reproduction Steps

import (
	"context"
	"net"
	"testing"

	"github.com/aws/aws-sdk-go-v2/service/sso"
	"github.com/aws/aws-sdk-go/aws"
)

func TestEndpoints(t *testing.T) {
	ctx := context.TODO()

	partitions := map[string][]string{
		"aws": {
			"af-south-1",
			"ap-east-1",
			"ap-northeast-1",
			"ap-northeast-2",
			"ap-northeast-3",
			"ap-south-1",
			"ap-southeast-1",
			"ap-southeast-2",
			"ap-southeast-3",
			"ca-central-1",
			"eu-central-1",
			"eu-central-2",
			"eu-north-1",
			"eu-south-1",
			"eu-west-1",
			"eu-west-2",
			"eu-west-3",
			"il-central-1",
			"me-south-1",
			"sa-east-1",
			"us-east-1",
			"us-east-2",
			"us-west-1",
			"us-west-2",
		},
		"aws-us-gov": {
			"us-gov-east-1",
			"us-gov-west-1",
		},
	}

	for partition, regions := range partitions {
		regions := regions

		t.Run(partition, func(t *testing.T) {
			for _, region := range regions {
				region := region

				t.Run(region, func(t *testing.T) {
					t.Run("endpoint", func(t *testing.T) {
						checkV2Endpoints(ctx, t, region, false, false)

					})

					t.Run("FIPS", func(t *testing.T) {
						checkV2Endpoints(ctx, t, region, true, false)
					})

					t.Run("DualStack", func(t *testing.T) {
						checkV2Endpoints(ctx, t, region, false, true)
					})

					t.Run("FIPS DualStack", func(t *testing.T) {
						checkV2Endpoints(ctx, t, region, true, true)
					})
				})
			}
		})
	}
}

func checkV2Endpoints(ctx context.Context, t *testing.T, region string, useFIPS, useDualStack bool) {
	t.Helper()

	endpointV2, err := resolveEndpointV2(ctx, region, useFIPS, useDualStack)
	if err != nil {
		t.Fatal(err)
	}
	_, err = net.LookupIP(endpointV2)
	if err != nil {
		t.Errorf("looking up V2 endpoint %q: %s", endpointV2, err)
	}
}

func resolveEndpointV2(ctx context.Context, region string, useFIPS, useDualStack bool) (string, error) {
	resolver := sso.NewDefaultEndpointResolverV2()
	endpoint, err := resolver.ResolveEndpoint(ctx, sso.EndpointParameters{
		Region:       aws.String(region),
		UseDualStack: aws.Bool(useDualStack),
		UseFIPS:      aws.Bool(useFIPS),
	})
	return endpoint.URI.Hostname(), err
}

Possible Solution

No response

Additional Information/Context

Running the test gives

$ go test -v . -run=TestEndpoints
=== RUN   TestEndpoints
=== RUN   TestEndpoints/aws
=== RUN   TestEndpoints/aws/af-south-1
=== RUN   TestEndpoints/aws/af-south-1/endpoint
=== RUN   TestEndpoints/aws/af-south-1/FIPS
    sso_test.go:204: looking up V2 endpoint "portal.sso-fips.af-south-1.amazonaws.com": lookup portal.sso-fips.af-south-1.amazonaws.com: no such host
=== RUN   TestEndpoints/aws/af-south-1/DualStack
    sso_test.go:208: looking up V2 endpoint "portal.sso.af-south-1.api.aws": lookup portal.sso.af-south-1.api.aws: no such host
=== RUN   TestEndpoints/aws/af-south-1/FIPS_DualStack
    sso_test.go:212: looking up V2 endpoint "portal.sso-fips.af-south-1.api.aws": lookup portal.sso-fips.af-south-1.api.aws: no such host
=== RUN   TestEndpoints/aws/ap-east-1
=== RUN   TestEndpoints/aws/ap-east-1/endpoint
=== RUN   TestEndpoints/aws/ap-east-1/FIPS
    sso_test.go:204: looking up V2 endpoint "portal.sso-fips.ap-east-1.amazonaws.com": lookup portal.sso-fips.ap-east-1.amazonaws.com: no such host
=== RUN   TestEndpoints/aws/ap-east-1/DualStack
    sso_test.go:208: looking up V2 endpoint "portal.sso.ap-east-1.api.aws": lookup portal.sso.ap-east-1.api.aws: no such host
=== RUN   TestEndpoints/aws/ap-east-1/FIPS_DualStack
    sso_test.go:212: looking up V2 endpoint "portal.sso-fips.ap-east-1.api.aws": lookup portal.sso-fips.ap-east-1.api.aws: no such host
=== RUN   TestEndpoints/aws/ap-northeast-1
=== RUN   TestEndpoints/aws/ap-northeast-1/endpoint
=== RUN   TestEndpoints/aws/ap-northeast-1/FIPS
    sso_test.go:204: looking up V2 endpoint "portal.sso-fips.ap-northeast-1.amazonaws.com": lookup portal.sso-fips.ap-northeast-1.amazonaws.com: no such host
=== RUN   TestEndpoints/aws/ap-northeast-1/DualStack
    sso_test.go:208: looking up V2 endpoint "portal.sso.ap-northeast-1.api.aws": lookup portal.sso.ap-northeast-1.api.aws: no such host
=== RUN   TestEndpoints/aws/ap-northeast-1/FIPS_DualStack
    sso_test.go:212: looking up V2 endpoint "portal.sso-fips.ap-northeast-1.api.aws": lookup portal.sso-fips.ap-northeast-1.api.aws: no such host
=== RUN   TestEndpoints/aws/ap-northeast-2
=== RUN   TestEndpoints/aws/ap-northeast-2/endpoint
=== RUN   TestEndpoints/aws/ap-northeast-2/FIPS
    sso_test.go:204: looking up V2 endpoint "portal.sso-fips.ap-northeast-2.amazonaws.com": lookup portal.sso-fips.ap-northeast-2.amazonaws.com: no such host
=== RUN   TestEndpoints/aws/ap-northeast-2/DualStack
    sso_test.go:208: looking up V2 endpoint "portal.sso.ap-northeast-2.api.aws": lookup portal.sso.ap-northeast-2.api.aws: no such host
=== RUN   TestEndpoints/aws/ap-northeast-2/FIPS_DualStack
    sso_test.go:212: looking up V2 endpoint "portal.sso-fips.ap-northeast-2.api.aws": lookup portal.sso-fips.ap-northeast-2.api.aws: no such host
=== RUN   TestEndpoints/aws/ap-northeast-3
=== RUN   TestEndpoints/aws/ap-northeast-3/endpoint
=== RUN   TestEndpoints/aws/ap-northeast-3/FIPS
    sso_test.go:204: looking up V2 endpoint "portal.sso-fips.ap-northeast-3.amazonaws.com": lookup portal.sso-fips.ap-northeast-3.amazonaws.com: no such host
=== RUN   TestEndpoints/aws/ap-northeast-3/DualStack
    sso_test.go:208: looking up V2 endpoint "portal.sso.ap-northeast-3.api.aws": lookup portal.sso.ap-northeast-3.api.aws: no such host
=== RUN   TestEndpoints/aws/ap-northeast-3/FIPS_DualStack
    sso_test.go:212: looking up V2 endpoint "portal.sso-fips.ap-northeast-3.api.aws": lookup portal.sso-fips.ap-northeast-3.api.aws: no such host
=== RUN   TestEndpoints/aws/ap-south-1
=== RUN   TestEndpoints/aws/ap-south-1/endpoint
=== RUN   TestEndpoints/aws/ap-south-1/FIPS
    sso_test.go:204: looking up V2 endpoint "portal.sso-fips.ap-south-1.amazonaws.com": lookup portal.sso-fips.ap-south-1.amazonaws.com: no such host
=== RUN   TestEndpoints/aws/ap-south-1/DualStack
    sso_test.go:208: looking up V2 endpoint "portal.sso.ap-south-1.api.aws": lookup portal.sso.ap-south-1.api.aws: no such host
=== RUN   TestEndpoints/aws/ap-south-1/FIPS_DualStack
    sso_test.go:212: looking up V2 endpoint "portal.sso-fips.ap-south-1.api.aws": lookup portal.sso-fips.ap-south-1.api.aws: no such host
=== RUN   TestEndpoints/aws/ap-southeast-1
=== RUN   TestEndpoints/aws/ap-southeast-1/endpoint
=== RUN   TestEndpoints/aws/ap-southeast-1/FIPS
    sso_test.go:204: looking up V2 endpoint "portal.sso-fips.ap-southeast-1.amazonaws.com": lookup portal.sso-fips.ap-southeast-1.amazonaws.com: no such host
=== RUN   TestEndpoints/aws/ap-southeast-1/DualStack
    sso_test.go:208: looking up V2 endpoint "portal.sso.ap-southeast-1.api.aws": lookup portal.sso.ap-southeast-1.api.aws: no such host
=== RUN   TestEndpoints/aws/ap-southeast-1/FIPS_DualStack
    sso_test.go:212: looking up V2 endpoint "portal.sso-fips.ap-southeast-1.api.aws": lookup portal.sso-fips.ap-southeast-1.api.aws: no such host
=== RUN   TestEndpoints/aws/ap-southeast-2
=== RUN   TestEndpoints/aws/ap-southeast-2/endpoint
=== RUN   TestEndpoints/aws/ap-southeast-2/FIPS
    sso_test.go:204: looking up V2 endpoint "portal.sso-fips.ap-southeast-2.amazonaws.com": lookup portal.sso-fips.ap-southeast-2.amazonaws.com: no such host
=== RUN   TestEndpoints/aws/ap-southeast-2/DualStack
    sso_test.go:208: looking up V2 endpoint "portal.sso.ap-southeast-2.api.aws": lookup portal.sso.ap-southeast-2.api.aws: no such host
=== RUN   TestEndpoints/aws/ap-southeast-2/FIPS_DualStack
    sso_test.go:212: looking up V2 endpoint "portal.sso-fips.ap-southeast-2.api.aws": lookup portal.sso-fips.ap-southeast-2.api.aws: no such host
=== RUN   TestEndpoints/aws/ap-southeast-3
=== RUN   TestEndpoints/aws/ap-southeast-3/endpoint
=== RUN   TestEndpoints/aws/ap-southeast-3/FIPS
    sso_test.go:204: looking up V2 endpoint "portal.sso-fips.ap-southeast-3.amazonaws.com": lookup portal.sso-fips.ap-southeast-3.amazonaws.com: no such host
=== RUN   TestEndpoints/aws/ap-southeast-3/DualStack
    sso_test.go:208: looking up V2 endpoint "portal.sso.ap-southeast-3.api.aws": lookup portal.sso.ap-southeast-3.api.aws: no such host
=== RUN   TestEndpoints/aws/ap-southeast-3/FIPS_DualStack
    sso_test.go:212: looking up V2 endpoint "portal.sso-fips.ap-southeast-3.api.aws": lookup portal.sso-fips.ap-southeast-3.api.aws: no such host
=== RUN   TestEndpoints/aws/ca-central-1
=== RUN   TestEndpoints/aws/ca-central-1/endpoint
=== RUN   TestEndpoints/aws/ca-central-1/FIPS
    sso_test.go:204: looking up V2 endpoint "portal.sso-fips.ca-central-1.amazonaws.com": lookup portal.sso-fips.ca-central-1.amazonaws.com: no such host
=== RUN   TestEndpoints/aws/ca-central-1/DualStack
    sso_test.go:208: looking up V2 endpoint "portal.sso.ca-central-1.api.aws": lookup portal.sso.ca-central-1.api.aws: no such host
=== RUN   TestEndpoints/aws/ca-central-1/FIPS_DualStack
    sso_test.go:212: looking up V2 endpoint "portal.sso-fips.ca-central-1.api.aws": lookup portal.sso-fips.ca-central-1.api.aws: no such host
=== RUN   TestEndpoints/aws/eu-central-1
=== RUN   TestEndpoints/aws/eu-central-1/endpoint
=== RUN   TestEndpoints/aws/eu-central-1/FIPS
    sso_test.go:204: looking up V2 endpoint "portal.sso-fips.eu-central-1.amazonaws.com": lookup portal.sso-fips.eu-central-1.amazonaws.com: no such host
=== RUN   TestEndpoints/aws/eu-central-1/DualStack
    sso_test.go:208: looking up V2 endpoint "portal.sso.eu-central-1.api.aws": lookup portal.sso.eu-central-1.api.aws: no such host
=== RUN   TestEndpoints/aws/eu-central-1/FIPS_DualStack
    sso_test.go:212: looking up V2 endpoint "portal.sso-fips.eu-central-1.api.aws": lookup portal.sso-fips.eu-central-1.api.aws: no such host
=== RUN   TestEndpoints/aws/eu-central-2
=== RUN   TestEndpoints/aws/eu-central-2/endpoint
=== RUN   TestEndpoints/aws/eu-central-2/FIPS
    sso_test.go:204: looking up V2 endpoint "portal.sso-fips.eu-central-2.amazonaws.com": lookup portal.sso-fips.eu-central-2.amazonaws.com: no such host
=== RUN   TestEndpoints/aws/eu-central-2/DualStack
    sso_test.go:208: looking up V2 endpoint "portal.sso.eu-central-2.api.aws": lookup portal.sso.eu-central-2.api.aws: no such host
=== RUN   TestEndpoints/aws/eu-central-2/FIPS_DualStack
    sso_test.go:212: looking up V2 endpoint "portal.sso-fips.eu-central-2.api.aws": lookup portal.sso-fips.eu-central-2.api.aws: no such host
=== RUN   TestEndpoints/aws/eu-north-1
=== RUN   TestEndpoints/aws/eu-north-1/endpoint
=== RUN   TestEndpoints/aws/eu-north-1/FIPS
    sso_test.go:204: looking up V2 endpoint "portal.sso-fips.eu-north-1.amazonaws.com": lookup portal.sso-fips.eu-north-1.amazonaws.com: no such host
=== RUN   TestEndpoints/aws/eu-north-1/DualStack
    sso_test.go:208: looking up V2 endpoint "portal.sso.eu-north-1.api.aws": lookup portal.sso.eu-north-1.api.aws: no such host
=== RUN   TestEndpoints/aws/eu-north-1/FIPS_DualStack
    sso_test.go:212: looking up V2 endpoint "portal.sso-fips.eu-north-1.api.aws": lookup portal.sso-fips.eu-north-1.api.aws: no such host
=== RUN   TestEndpoints/aws/eu-south-1
=== RUN   TestEndpoints/aws/eu-south-1/endpoint
=== RUN   TestEndpoints/aws/eu-south-1/FIPS
    sso_test.go:204: looking up V2 endpoint "portal.sso-fips.eu-south-1.amazonaws.com": lookup portal.sso-fips.eu-south-1.amazonaws.com: no such host
=== RUN   TestEndpoints/aws/eu-south-1/DualStack
    sso_test.go:208: looking up V2 endpoint "portal.sso.eu-south-1.api.aws": lookup portal.sso.eu-south-1.api.aws: no such host
=== RUN   TestEndpoints/aws/eu-south-1/FIPS_DualStack
    sso_test.go:212: looking up V2 endpoint "portal.sso-fips.eu-south-1.api.aws": lookup portal.sso-fips.eu-south-1.api.aws: no such host
=== RUN   TestEndpoints/aws/eu-west-1
=== RUN   TestEndpoints/aws/eu-west-1/endpoint
=== RUN   TestEndpoints/aws/eu-west-1/FIPS
    sso_test.go:204: looking up V2 endpoint "portal.sso-fips.eu-west-1.amazonaws.com": lookup portal.sso-fips.eu-west-1.amazonaws.com: no such host
=== RUN   TestEndpoints/aws/eu-west-1/DualStack
    sso_test.go:208: looking up V2 endpoint "portal.sso.eu-west-1.api.aws": lookup portal.sso.eu-west-1.api.aws: no such host
=== RUN   TestEndpoints/aws/eu-west-1/FIPS_DualStack
    sso_test.go:212: looking up V2 endpoint "portal.sso-fips.eu-west-1.api.aws": lookup portal.sso-fips.eu-west-1.api.aws: no such host
=== RUN   TestEndpoints/aws/eu-west-2
=== RUN   TestEndpoints/aws/eu-west-2/endpoint
=== RUN   TestEndpoints/aws/eu-west-2/FIPS
    sso_test.go:204: looking up V2 endpoint "portal.sso-fips.eu-west-2.amazonaws.com": lookup portal.sso-fips.eu-west-2.amazonaws.com: no such host
=== RUN   TestEndpoints/aws/eu-west-2/DualStack
    sso_test.go:208: looking up V2 endpoint "portal.sso.eu-west-2.api.aws": lookup portal.sso.eu-west-2.api.aws: no such host
=== RUN   TestEndpoints/aws/eu-west-2/FIPS_DualStack
    sso_test.go:212: looking up V2 endpoint "portal.sso-fips.eu-west-2.api.aws": lookup portal.sso-fips.eu-west-2.api.aws: no such host
=== RUN   TestEndpoints/aws/eu-west-3
=== RUN   TestEndpoints/aws/eu-west-3/endpoint
=== RUN   TestEndpoints/aws/eu-west-3/FIPS
    sso_test.go:204: looking up V2 endpoint "portal.sso-fips.eu-west-3.amazonaws.com": lookup portal.sso-fips.eu-west-3.amazonaws.com: no such host
=== RUN   TestEndpoints/aws/eu-west-3/DualStack
    sso_test.go:208: looking up V2 endpoint "portal.sso.eu-west-3.api.aws": lookup portal.sso.eu-west-3.api.aws: no such host
=== RUN   TestEndpoints/aws/eu-west-3/FIPS_DualStack
    sso_test.go:212: looking up V2 endpoint "portal.sso-fips.eu-west-3.api.aws": lookup portal.sso-fips.eu-west-3.api.aws: no such host
=== RUN   TestEndpoints/aws/il-central-1
=== RUN   TestEndpoints/aws/il-central-1/endpoint
=== RUN   TestEndpoints/aws/il-central-1/FIPS
    sso_test.go:204: looking up V2 endpoint "portal.sso-fips.il-central-1.amazonaws.com": lookup portal.sso-fips.il-central-1.amazonaws.com: no such host
=== RUN   TestEndpoints/aws/il-central-1/DualStack
    sso_test.go:208: looking up V2 endpoint "portal.sso.il-central-1.api.aws": lookup portal.sso.il-central-1.api.aws: no such host
=== RUN   TestEndpoints/aws/il-central-1/FIPS_DualStack
    sso_test.go:212: looking up V2 endpoint "portal.sso-fips.il-central-1.api.aws": lookup portal.sso-fips.il-central-1.api.aws: no such host
=== RUN   TestEndpoints/aws/me-south-1
=== RUN   TestEndpoints/aws/me-south-1/endpoint
=== RUN   TestEndpoints/aws/me-south-1/FIPS
    sso_test.go:204: looking up V2 endpoint "portal.sso-fips.me-south-1.amazonaws.com": lookup portal.sso-fips.me-south-1.amazonaws.com: no such host
=== RUN   TestEndpoints/aws/me-south-1/DualStack
    sso_test.go:208: looking up V2 endpoint "portal.sso.me-south-1.api.aws": lookup portal.sso.me-south-1.api.aws: no such host
=== RUN   TestEndpoints/aws/me-south-1/FIPS_DualStack
    sso_test.go:212: looking up V2 endpoint "portal.sso-fips.me-south-1.api.aws": lookup portal.sso-fips.me-south-1.api.aws: no such host
=== RUN   TestEndpoints/aws/sa-east-1
=== RUN   TestEndpoints/aws/sa-east-1/endpoint
=== RUN   TestEndpoints/aws/sa-east-1/FIPS
    sso_test.go:204: looking up V2 endpoint "portal.sso-fips.sa-east-1.amazonaws.com": lookup portal.sso-fips.sa-east-1.amazonaws.com: no such host
=== RUN   TestEndpoints/aws/sa-east-1/DualStack
    sso_test.go:208: looking up V2 endpoint "portal.sso.sa-east-1.api.aws": lookup portal.sso.sa-east-1.api.aws: no such host
=== RUN   TestEndpoints/aws/sa-east-1/FIPS_DualStack
    sso_test.go:212: looking up V2 endpoint "portal.sso-fips.sa-east-1.api.aws": lookup portal.sso-fips.sa-east-1.api.aws: no such host
=== RUN   TestEndpoints/aws/us-east-1
=== RUN   TestEndpoints/aws/us-east-1/endpoint
=== RUN   TestEndpoints/aws/us-east-1/FIPS
    sso_test.go:204: looking up V2 endpoint "portal.sso-fips.us-east-1.amazonaws.com": lookup portal.sso-fips.us-east-1.amazonaws.com: no such host
=== RUN   TestEndpoints/aws/us-east-1/DualStack
    sso_test.go:208: looking up V2 endpoint "portal.sso.us-east-1.api.aws": lookup portal.sso.us-east-1.api.aws: no such host
=== RUN   TestEndpoints/aws/us-east-1/FIPS_DualStack
    sso_test.go:212: looking up V2 endpoint "portal.sso-fips.us-east-1.api.aws": lookup portal.sso-fips.us-east-1.api.aws: no such host
=== RUN   TestEndpoints/aws/us-east-2
=== RUN   TestEndpoints/aws/us-east-2/endpoint
=== RUN   TestEndpoints/aws/us-east-2/FIPS
    sso_test.go:204: looking up V2 endpoint "portal.sso-fips.us-east-2.amazonaws.com": lookup portal.sso-fips.us-east-2.amazonaws.com: no such host
=== RUN   TestEndpoints/aws/us-east-2/DualStack
    sso_test.go:208: looking up V2 endpoint "portal.sso.us-east-2.api.aws": lookup portal.sso.us-east-2.api.aws: no such host
=== RUN   TestEndpoints/aws/us-east-2/FIPS_DualStack
    sso_test.go:212: looking up V2 endpoint "portal.sso-fips.us-east-2.api.aws": lookup portal.sso-fips.us-east-2.api.aws: no such host
=== RUN   TestEndpoints/aws/us-west-1
=== RUN   TestEndpoints/aws/us-west-1/endpoint
=== RUN   TestEndpoints/aws/us-west-1/FIPS
    sso_test.go:204: looking up V2 endpoint "portal.sso-fips.us-west-1.amazonaws.com": lookup portal.sso-fips.us-west-1.amazonaws.com: no such host
=== RUN   TestEndpoints/aws/us-west-1/DualStack
    sso_test.go:208: looking up V2 endpoint "portal.sso.us-west-1.api.aws": lookup portal.sso.us-west-1.api.aws: no such host
=== RUN   TestEndpoints/aws/us-west-1/FIPS_DualStack
    sso_test.go:212: looking up V2 endpoint "portal.sso-fips.us-west-1.api.aws": lookup portal.sso-fips.us-west-1.api.aws: no such host
=== RUN   TestEndpoints/aws/us-west-2
=== RUN   TestEndpoints/aws/us-west-2/endpoint
=== RUN   TestEndpoints/aws/us-west-2/FIPS
    sso_test.go:204: looking up V2 endpoint "portal.sso-fips.us-west-2.amazonaws.com": lookup portal.sso-fips.us-west-2.amazonaws.com: no such host
=== RUN   TestEndpoints/aws/us-west-2/DualStack
    sso_test.go:208: looking up V2 endpoint "portal.sso.us-west-2.api.aws": lookup portal.sso.us-west-2.api.aws: no such host
=== RUN   TestEndpoints/aws/us-west-2/FIPS_DualStack
    sso_test.go:212: looking up V2 endpoint "portal.sso-fips.us-west-2.api.aws": lookup portal.sso-fips.us-west-2.api.aws: no such host
=== RUN   TestEndpoints/aws-us-gov
=== RUN   TestEndpoints/aws-us-gov/us-gov-east-1
=== RUN   TestEndpoints/aws-us-gov/us-gov-east-1/endpoint
=== RUN   TestEndpoints/aws-us-gov/us-gov-east-1/FIPS
=== RUN   TestEndpoints/aws-us-gov/us-gov-east-1/DualStack
    sso_test.go:208: looking up V2 endpoint "portal.sso.us-gov-east-1.api.aws": lookup portal.sso.us-gov-east-1.api.aws: no such host
=== RUN   TestEndpoints/aws-us-gov/us-gov-east-1/FIPS_DualStack
    sso_test.go:212: looking up V2 endpoint "portal.sso-fips.us-gov-east-1.api.aws": lookup portal.sso-fips.us-gov-east-1.api.aws: no such host
=== RUN   TestEndpoints/aws-us-gov/us-gov-west-1
=== RUN   TestEndpoints/aws-us-gov/us-gov-west-1/endpoint
=== RUN   TestEndpoints/aws-us-gov/us-gov-west-1/FIPS
=== RUN   TestEndpoints/aws-us-gov/us-gov-west-1/DualStack
    sso_test.go:208: looking up V2 endpoint "portal.sso.us-gov-west-1.api.aws": lookup portal.sso.us-gov-west-1.api.aws: no such host
=== RUN   TestEndpoints/aws-us-gov/us-gov-west-1/FIPS_DualStack
    sso_test.go:212: looking up V2 endpoint "portal.sso-fips.us-gov-west-1.api.aws": lookup portal.sso-fips.us-gov-west-1.api.aws: no such host
--- FAIL: TestEndpoints (1.82s)
    --- FAIL: TestEndpoints/aws (1.58s)
        --- FAIL: TestEndpoints/aws/af-south-1 (0.04s)
            --- PASS: TestEndpoints/aws/af-south-1/endpoint (0.04s)
            --- FAIL: TestEndpoints/aws/af-south-1/FIPS (0.00s)
            --- FAIL: TestEndpoints/aws/af-south-1/DualStack (0.00s)
            --- FAIL: TestEndpoints/aws/af-south-1/FIPS_DualStack (0.00s)
        --- FAIL: TestEndpoints/aws/ap-east-1 (0.04s)
            --- PASS: TestEndpoints/aws/ap-east-1/endpoint (0.03s)
            --- FAIL: TestEndpoints/aws/ap-east-1/FIPS (0.00s)
            --- FAIL: TestEndpoints/aws/ap-east-1/DualStack (0.00s)
            --- FAIL: TestEndpoints/aws/ap-east-1/FIPS_DualStack (0.00s)
        --- FAIL: TestEndpoints/aws/ap-northeast-1 (0.04s)
            --- PASS: TestEndpoints/aws/ap-northeast-1/endpoint (0.04s)
            --- FAIL: TestEndpoints/aws/ap-northeast-1/FIPS (0.00s)
            --- FAIL: TestEndpoints/aws/ap-northeast-1/DualStack (0.00s)
            --- FAIL: TestEndpoints/aws/ap-northeast-1/FIPS_DualStack (0.00s)
        --- FAIL: TestEndpoints/aws/ap-northeast-2 (0.05s)
            --- PASS: TestEndpoints/aws/ap-northeast-2/endpoint (0.04s)
            --- FAIL: TestEndpoints/aws/ap-northeast-2/FIPS (0.01s)
            --- FAIL: TestEndpoints/aws/ap-northeast-2/DualStack (0.00s)
            --- FAIL: TestEndpoints/aws/ap-northeast-2/FIPS_DualStack (0.00s)
        --- FAIL: TestEndpoints/aws/ap-northeast-3 (0.07s)
            --- PASS: TestEndpoints/aws/ap-northeast-3/endpoint (0.03s)
            --- FAIL: TestEndpoints/aws/ap-northeast-3/FIPS (0.04s)
            --- FAIL: TestEndpoints/aws/ap-northeast-3/DualStack (0.00s)
            --- FAIL: TestEndpoints/aws/ap-northeast-3/FIPS_DualStack (0.00s)
        --- FAIL: TestEndpoints/aws/ap-south-1 (0.04s)
            --- PASS: TestEndpoints/aws/ap-south-1/endpoint (0.03s)
            --- FAIL: TestEndpoints/aws/ap-south-1/FIPS (0.01s)
            --- FAIL: TestEndpoints/aws/ap-south-1/DualStack (0.00s)
            --- FAIL: TestEndpoints/aws/ap-south-1/FIPS_DualStack (0.00s)
        --- FAIL: TestEndpoints/aws/ap-southeast-1 (0.03s)
            --- PASS: TestEndpoints/aws/ap-southeast-1/endpoint (0.03s)
            --- FAIL: TestEndpoints/aws/ap-southeast-1/FIPS (0.00s)
            --- FAIL: TestEndpoints/aws/ap-southeast-1/DualStack (0.00s)
            --- FAIL: TestEndpoints/aws/ap-southeast-1/FIPS_DualStack (0.00s)
        --- FAIL: TestEndpoints/aws/ap-southeast-2 (0.03s)
            --- PASS: TestEndpoints/aws/ap-southeast-2/endpoint (0.03s)
            --- FAIL: TestEndpoints/aws/ap-southeast-2/FIPS (0.00s)
            --- FAIL: TestEndpoints/aws/ap-southeast-2/DualStack (0.00s)
            --- FAIL: TestEndpoints/aws/ap-southeast-2/FIPS_DualStack (0.00s)
        --- FAIL: TestEndpoints/aws/ap-southeast-3 (0.04s)
            --- PASS: TestEndpoints/aws/ap-southeast-3/endpoint (0.04s)
            --- FAIL: TestEndpoints/aws/ap-southeast-3/FIPS (0.00s)
            --- FAIL: TestEndpoints/aws/ap-southeast-3/DualStack (0.00s)
            --- FAIL: TestEndpoints/aws/ap-southeast-3/FIPS_DualStack (0.00s)
        --- FAIL: TestEndpoints/aws/ca-central-1 (0.08s)
            --- PASS: TestEndpoints/aws/ca-central-1/endpoint (0.03s)
            --- FAIL: TestEndpoints/aws/ca-central-1/FIPS (0.04s)
            --- FAIL: TestEndpoints/aws/ca-central-1/DualStack (0.00s)
            --- FAIL: TestEndpoints/aws/ca-central-1/FIPS_DualStack (0.00s)
        --- FAIL: TestEndpoints/aws/eu-central-1 (0.04s)
            --- PASS: TestEndpoints/aws/eu-central-1/endpoint (0.04s)
            --- FAIL: TestEndpoints/aws/eu-central-1/FIPS (0.00s)
            --- FAIL: TestEndpoints/aws/eu-central-1/DualStack (0.00s)
            --- FAIL: TestEndpoints/aws/eu-central-1/FIPS_DualStack (0.00s)
        --- FAIL: TestEndpoints/aws/eu-central-2 (0.04s)
            --- PASS: TestEndpoints/aws/eu-central-2/endpoint (0.03s)
            --- FAIL: TestEndpoints/aws/eu-central-2/FIPS (0.00s)
            --- FAIL: TestEndpoints/aws/eu-central-2/DualStack (0.00s)
            --- FAIL: TestEndpoints/aws/eu-central-2/FIPS_DualStack (0.00s)
        --- FAIL: TestEndpoints/aws/eu-north-1 (0.05s)
            --- PASS: TestEndpoints/aws/eu-north-1/endpoint (0.04s)
            --- FAIL: TestEndpoints/aws/eu-north-1/FIPS (0.00s)
            --- FAIL: TestEndpoints/aws/eu-north-1/DualStack (0.00s)
            --- FAIL: TestEndpoints/aws/eu-north-1/FIPS_DualStack (0.00s)
        --- FAIL: TestEndpoints/aws/eu-south-1 (0.09s)
            --- PASS: TestEndpoints/aws/eu-south-1/endpoint (0.03s)
            --- FAIL: TestEndpoints/aws/eu-south-1/FIPS (0.05s)
            --- FAIL: TestEndpoints/aws/eu-south-1/DualStack (0.00s)
            --- FAIL: TestEndpoints/aws/eu-south-1/FIPS_DualStack (0.00s)
        --- FAIL: TestEndpoints/aws/eu-west-1 (0.04s)
            --- PASS: TestEndpoints/aws/eu-west-1/endpoint (0.04s)
            --- FAIL: TestEndpoints/aws/eu-west-1/FIPS (0.00s)
            --- FAIL: TestEndpoints/aws/eu-west-1/DualStack (0.00s)
            --- FAIL: TestEndpoints/aws/eu-west-1/FIPS_DualStack (0.00s)
        --- FAIL: TestEndpoints/aws/eu-west-2 (0.04s)
            --- PASS: TestEndpoints/aws/eu-west-2/endpoint (0.03s)
            --- FAIL: TestEndpoints/aws/eu-west-2/FIPS (0.00s)
            --- FAIL: TestEndpoints/aws/eu-west-2/DualStack (0.00s)
            --- FAIL: TestEndpoints/aws/eu-west-2/FIPS_DualStack (0.00s)
        --- FAIL: TestEndpoints/aws/eu-west-3 (0.10s)
            --- PASS: TestEndpoints/aws/eu-west-3/endpoint (0.04s)
            --- FAIL: TestEndpoints/aws/eu-west-3/FIPS (0.07s)
            --- FAIL: TestEndpoints/aws/eu-west-3/DualStack (0.00s)
            --- FAIL: TestEndpoints/aws/eu-west-3/FIPS_DualStack (0.00s)
        --- FAIL: TestEndpoints/aws/il-central-1 (0.05s)
            --- PASS: TestEndpoints/aws/il-central-1/endpoint (0.04s)
            --- FAIL: TestEndpoints/aws/il-central-1/FIPS (0.00s)
            --- FAIL: TestEndpoints/aws/il-central-1/DualStack (0.00s)
            --- FAIL: TestEndpoints/aws/il-central-1/FIPS_DualStack (0.00s)
        --- FAIL: TestEndpoints/aws/me-south-1 (0.07s)
            --- PASS: TestEndpoints/aws/me-south-1/endpoint (0.07s)
            --- FAIL: TestEndpoints/aws/me-south-1/FIPS (0.00s)
            --- FAIL: TestEndpoints/aws/me-south-1/DualStack (0.00s)
            --- FAIL: TestEndpoints/aws/me-south-1/FIPS_DualStack (0.00s)
        --- FAIL: TestEndpoints/aws/sa-east-1 (0.11s)
            --- PASS: TestEndpoints/aws/sa-east-1/endpoint (0.05s)
            --- FAIL: TestEndpoints/aws/sa-east-1/FIPS (0.06s)
            --- FAIL: TestEndpoints/aws/sa-east-1/DualStack (0.00s)
            --- FAIL: TestEndpoints/aws/sa-east-1/FIPS_DualStack (0.00s)
        --- FAIL: TestEndpoints/aws/us-east-1 (0.16s)
            --- PASS: TestEndpoints/aws/us-east-1/endpoint (0.03s)
            --- FAIL: TestEndpoints/aws/us-east-1/FIPS (0.05s)
            --- FAIL: TestEndpoints/aws/us-east-1/DualStack (0.04s)
            --- FAIL: TestEndpoints/aws/us-east-1/FIPS_DualStack (0.04s)
        --- FAIL: TestEndpoints/aws/us-east-2 (0.07s)
            --- PASS: TestEndpoints/aws/us-east-2/endpoint (0.03s)
            --- FAIL: TestEndpoints/aws/us-east-2/FIPS (0.04s)
            --- FAIL: TestEndpoints/aws/us-east-2/DualStack (0.00s)
            --- FAIL: TestEndpoints/aws/us-east-2/FIPS_DualStack (0.00s)
        --- FAIL: TestEndpoints/aws/us-west-1 (0.08s)
            --- PASS: TestEndpoints/aws/us-west-1/endpoint (0.03s)
            --- FAIL: TestEndpoints/aws/us-west-1/FIPS (0.04s)
            --- FAIL: TestEndpoints/aws/us-west-1/DualStack (0.00s)
            --- FAIL: TestEndpoints/aws/us-west-1/FIPS_DualStack (0.00s)
        --- FAIL: TestEndpoints/aws/us-west-2 (0.17s)
            --- PASS: TestEndpoints/aws/us-west-2/endpoint (0.04s)
            --- FAIL: TestEndpoints/aws/us-west-2/FIPS (0.04s)
            --- FAIL: TestEndpoints/aws/us-west-2/DualStack (0.04s)
            --- FAIL: TestEndpoints/aws/us-west-2/FIPS_DualStack (0.04s)
    --- FAIL: TestEndpoints/aws-us-gov (0.24s)
        --- FAIL: TestEndpoints/aws-us-gov/us-gov-east-1 (0.12s)
            --- PASS: TestEndpoints/aws-us-gov/us-gov-east-1/endpoint (0.04s)
            --- PASS: TestEndpoints/aws-us-gov/us-gov-east-1/FIPS (0.00s)
            --- FAIL: TestEndpoints/aws-us-gov/us-gov-east-1/DualStack (0.04s)
            --- FAIL: TestEndpoints/aws-us-gov/us-gov-east-1/FIPS_DualStack (0.04s)
        --- FAIL: TestEndpoints/aws-us-gov/us-gov-west-1 (0.13s)
            --- PASS: TestEndpoints/aws-us-gov/us-gov-west-1/endpoint (0.04s)
            --- PASS: TestEndpoints/aws-us-gov/us-gov-west-1/FIPS (0.00s)
            --- FAIL: TestEndpoints/aws-us-gov/us-gov-west-1/DualStack (0.03s)
            --- FAIL: TestEndpoints/aws-us-gov/us-gov-west-1/FIPS_DualStack (0.05s)
FAIL
FAIL	github.com/hashicorp/aws-sdk-go-base/v2	2.582s
FAIL

AWS Go SDK V2 Module Versions Used

github.com/aws/aws-sdk-go-v2 v1.21.2
github.com/aws/aws-sdk-go-v2/service/sso v1.15.2

Compiler and Version used

go version go1.21.0 darwin/arm64

Operating System and version

macOS 13.4.1
@gdavison gdavison added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Oct 25, 2023
@gdavison gdavison mentioned this issue Oct 25, 2023
Open
@RanVaknin RanVaknin self-assigned this Oct 26, 2023
@RanVaknin
Copy link
Contributor

RanVaknin commented Oct 26, 2023
edited
Loading

Hi @gdavison,

If certain endpoints are not specified by the service team, the SDK endpoint resolution scheme will apply some default endpoint resolution logic to try and form endpoints based on the endpoints rule. We generate these endpoints for forward compatibility reasons so that new regions "will just work" when rolled out from the service side.

The reason SSO FIPS on govcloud regions was broken in the past, was that these endpoints were never defined in the first place. The SDK uses the same resolution scheme to form the projected FIPS endpoint. When this was reported in #2166 , I had to reach out to the SSO service team internally, and they rolled out those FIPS endpoints on their end, making the SDK code "just work" without any additional release on our side.

In other words, these endpoints are likely not broken, they simply do not exist and the SDK generates these endpoints as a projection. If you have a specific endpoint that is broken but documented as supported please let me know and I can upstream it again to the SSO team.

Thanks!
Ran~

@RanVaknin RanVaknin added response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. p2 This is a standard priority issue and removed needs-triage This issue or PR still needs to be triaged. labels Oct 26, 2023
@gdavison
Copy link
Contributor Author

My concern is that the endpoint resolved returned by sso.NewDefaultEndpointResolverV2() is returning endpoints that point to addresses that don't exist. It may not be "broken", but it definitely doesn't work! 🙂

Both config.WithUseFIPSEndpoint() and config.WithUseDualStackEndpoint() can be set globally in config.LoadDefaultConfig(), causing the SSO endpoint resolver (among others) to try to use endpoints that don't exist, thus leading to failures such as:

Error: failed to refresh cached credentials, operation error STS: AssumeRole, failed to sign request: failed to retrieve credentials: operation error STS: AssumeRole, failed to sign request: failed to retrieve
credentials: operation error SSO: GetRoleCredentials, https response error StatusCode: 0, RequestID: , request send failed, Get
"https://portal.sso-fips.us-east-1.amazonaws.com/federation/credentials?account_id=123456789012&role_name=SSO_terraform": dial tcp: lookup portal.sso-fips.us-east-1.amazonaws.com on 127.0.0.53:53: no such host

Since this global setting can create an AWS configuration that doesn't work for many services, I would expect it to either:

  • Not have such a global setting,
  • Have a graceful fallback, or
  • Return an error that states "FIPS not supported in this region"

In the current situation, either we or our users need to know which services support FIPS and/or DualStack in which region, whereas AWS service teams already have that knowledge and can encode it in the SDK.

@github-actions github-actions bot removed the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Oct 27, 2023
@gdavison
Copy link
Contributor Author

I did some further checking with the AWS CLI, and it exhibits the same problem: if a service does not support FIPS, it will try to use an endpoint that doesn't exist.

Since this behaviour is consistent across all AWS tooling and isn't specific to the Go SDK, I'll close this issue.

@gdavison gdavison closed this as not planned Won't fix, can't repro, duplicate, stale Oct 27, 2023
@github-actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

@gdavison gdavison mentioned this issue Nov 7, 2023
Merged
@gdavison gdavison mentioned this issue Nov 15, 2023
Closed
@RanVaknin RanVaknin mentioned this issue Jan 10, 2024
Closed
@gdavison gdavison mentioned this issue Jun 7, 2024
Open
@gdavison gdavison mentioned this issue Jun 17, 2024
Open
2 tasks
@micahhausler micahhausler mentioned this issue Aug 30, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@RanVaknin RanVaknin

Labels
bug This issue is a bug. p2 This is a standard priority issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@gdavison @RanVaknin