Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Bug]: Wrong URL for SSO in us-east-1 if use_fips is true #33952

Open
tmccombs opened this issue Oct 16, 2023 · 6 comments
Open

[Bug]: Wrong URL for SSO in us-east-1 if use_fips is true #33952

tmccombs opened this issue Oct 16, 2023 · 6 comments
Labels
authentication Pertains to authentication; to the provider itself of otherwise. bug Addresses a defect in current functionality. fips Pertains to the Federal Information Processing Standard (FIPS). prioritized Part of the maintainer teams immediate focus. To be addressed within the current quarter. provider Pertains to the provider itself, rather than any interaction with AWS. regression Pertains to a degraded workflow resulting from an upstream patch or internal enhancement.

Comments

@tmccombs
Copy link
Contributor

tmccombs commented Oct 16, 2023

Terraform Core Version

1.5.0

AWS Provider Version

5.21.0

Affected Resource(s)

Problem with configuring the provider for authentication with SSO

Expected Behavior

Terraform should be able to refresh the token when using a profile that uses AWS SSO.

Actual Behavior

Error when refreshing the token which results in not being able to run the specified action.

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

provider "aws" {
  profile = var.terraform_profile # a profile that uses sso_start_url, sso_role_name, etc.
  region  = "us-east-1"
  use_fips_endpoint = true
}

Steps to Reproduce

Run a plan, apply, refresh etc. with config like above, using an AWS profile that uses AWS IAM Identity Center (previously SSO)

Debug Output

╷
│ Error: No valid credential sources found
│ 
│   with provider["registry.terraform.io/hashicorp/aws"].publiczones,
│   on config.tf line 141, in provider "aws":
│  141: provider "aws" {
│ 
│ Please see https://registry.terraform.io/providers/hashicorp/aws
│ for more information about providing credentials.
│ 
│ Error: failed to refresh cached credentials, operation error STS: AssumeRole, failed to sign request: failed to retrieve credentials: operation error STS: AssumeRole, failed to sign request: failed to retrieve
│ credentials: operation error SSO: GetRoleCredentials, https response error StatusCode: 0, RequestID: , request send failed, Get
│ "https://portal.sso-fips.us-east-1.amazonaws.com/federation/credentials?account_id=975326797713&role_name=SSO_terraform": dial tcp: lookup portal.sso-fips.us-east-1.amazonaws.com on 127.0.0.53:53: no such host
│ 
╵

Panic Output

No response

Important Factoids

If use_fips is false, then it works fine.

References

This is basically the same as #29350 but, while GovCloud regions have been fixed, it seems the issue is still there for the us-east-1 region (and possibly other regions?)

My guess is that it is likely also due to incorrect urls in the upstream aws sdk library.

Would you like to implement a fix?

None

@tmccombs tmccombs added the bug Addresses a defect in current functionality. label Oct 16, 2023
@github-actions
Copy link

Community Note

Voting for Prioritization

  • Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
  • Please see our prioritization guide for information on how we prioritize.
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

  • If you are interested in working on this issue, please leave a comment.
  • If this would be your first contribution, please review the contribution guide.

@terraform-aws-provider terraform-aws-provider bot added the needs-triage Waiting for first response or review from a maintainer. label Oct 16, 2023
@tmccombs
Copy link
Contributor Author

I should also point out that this wasn't broken in 4.53. So this is a regression.

@justinretzolk justinretzolk added regression Pertains to a degraded workflow resulting from an upstream patch or internal enhancement. provider Pertains to the provider itself, rather than any interaction with AWS. authentication Pertains to authentication; to the provider itself of otherwise. fips Pertains to the Federal Information Processing Standard (FIPS). and removed needs-triage Waiting for first response or review from a maintainer. labels Oct 25, 2023
@terraform-aws-provider terraform-aws-provider bot added the prioritized Part of the maintainer teams immediate focus. To be addressed within the current quarter. label Oct 25, 2023
@gdavison
Copy link
Contributor

For implementor: The AWS FIPS documentation suggests that there is no override for the SSO endpoint with FIPS. However, the default resolver may not be returning the correct endpoint

Short-term fix:

Longer-term fix:

  1. Fix upstream AWS SDK (SSO default endpoint resolver V2 returns incorrect endpoints aws/aws-sdk-go-v2#2336)
  2. Add smoke test for endpoints and run during PR checks to prevent regression

@gdavison
Copy link
Contributor

@tmccombs was this a regression, or is this your first time using SSO with FIPS in the AWS partition?

@tmccombs
Copy link
Contributor Author

This is a regression. It was working with the use_fips_endpoint = true on version 4.53. It may not actually have been using FIPS for SSO, but didn't error.

When upgrading to 5.x I started getting errors.

@gdavison
Copy link
Contributor

Related: aws/aws-sdk-go-v2#2686

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
authentication Pertains to authentication; to the provider itself of otherwise. bug Addresses a defect in current functionality. fips Pertains to the Federal Information Processing Standard (FIPS). prioritized Part of the maintainer teams immediate focus. To be addressed within the current quarter. provider Pertains to the provider itself, rather than any interaction with AWS. regression Pertains to a degraded workflow resulting from an upstream patch or internal enhancement.
Projects
None yet
Development

No branches or pull requests

3 participants