redshift aws-us-gov partition fips endpoint doesn't work

[michaeldop]

Describe the bug

when setting UseFIPSEndpoint to true I cannot use the redshift client in the aws-us-gov partition.

Expected Behavior

The redshift client works with UseFIPSEndpoint in aws-us-gov partition

Current Behavior

The host is incorrect need to drop the -fips

failed to describe clusters RequestError: send request failed
caused by: Post "https://redshift-fips.us-gov-west-1.amazonaws.com/": dial tcp: lookup redshift-fips.us-gov-west-1.amazonaws.com: no such host

Reproduction Steps

import (
	"fmt"

	"github.com/aws/aws-sdk-go/aws"
	"github.com/aws/aws-sdk-go/aws/endpoints"
	"github.com/aws/aws-sdk-go/aws/session"
	"github.com/aws/aws-sdk-go/service/redshift"
)


func main() {
	// Resolve the region's endpoint directly
	endpoint, err := endpoints.DefaultResolver().EndpointFor(redshift.EndpointsID, endpoints.UsGovWest1RegionID, endpoints.UseFIPSEndpointOption)
	if err != nil {
		fmt.Println("failed to get endpoint", err)
	}
	fmt.Println("Redshift Resolved Endpoint:", endpoint.URL, "Region:", endpoint.SigningRegion)

	// Create a session and service client configured for the region.
	sess := session.Must(session.NewSession(&aws.Config{
		Region:          aws.String(endpoints.UsGovWest1RegionID),
		UseFIPSEndpoint: endpoints.FIPSEndpointStateEnabled,
	}))

	// test redshift
	svc := redshift.New(sess)
	fmt.Println("Redshift Client Endpoint:", svc.ClientInfo.Endpoint, "Region:", svc.ClientInfo.SigningRegion)

	_, err = svc.DescribeClusters(&redshift.DescribeClustersInput{})
	if err != nil {
		fmt.Println("failed to describe clusters", err)
	}

	// test application-autoscaling, autoscaling-plans
}

Possible Solution

No response

Additional Information/Context

No response

SDK version used

v1.44.241

Environment details (Version of Go (go version)? OS name and version, etc.)

go version go1.20.2 darwin/amd64

[jmklix]

Thanks for pointing this out. We are in the process of getting these endpoints updated, but this requires changes to the services. This might take a while so please use this workaround while waiting for this to be updated. You can find the correct endpoints here:

	sess := session.Must(session.NewSession(&aws.Config{
		Region:         aws.String(endpoints.UsGovWest1RegionID),
		Endpoint:       aws.String("https://redshift.us-gov-west-1.amazonaws.com")
	}))

[mebays]

Is there a record on how many of these endpoints are incorrect? In my case there are multiple applications using the sdk-go library (some of them are kubernetes core service related) where I don't modify the code. Running in gov cloud it has been suggested to use all fips endpoints, but seeing AWS_USE_FIPS_ENDPOINT=true can be problematic if the endpoints aren't correct. I see the same issue within the terraform-aws-provider but that could be their version of the SDK. Any updates on when this may get fixed not as a workaround.

[RanVaknin]

Hi,

This issue has been brought up multiple times. We have identified about 20 services that were impacted, and almost all of them have pushed a fix. I believe that Redshift and SSO are the only two remaining services that have not pushed a fix yet but this is a work in progress (this is solved upstream with the service team itself, not on the SDK level)

Right now you can use the workaround mentioned by @jmklix , or upgrade to v2 which doesnt rely on the same endpoint resolution logic and is not impacted.

Im going to keep this issue open until we get Redshift sorted out.

Thanks,
Ran~

[lorengordon]

@RanVaknin Is there a similar tracking issue for the SSO endpoint resolution? There's an open issue on terraform where folks are reporting several of the other impacted services, also:

• appautoscaling
• cloudfront
• cloudformation
• kinesis
• ram
• resourcegroupstaggingapi
• route53resolver
• servicequotas
• sns
• waf

[IvanLaktyunkin]

Hit same issue with ec2-fips.us-gov-west-1.amazonaws.com :(

[RanVaknin]

Hi all,

The only 2 remaining services that have not fixed their FIPS configuration is SSO and Redshift.

If you need help mitigating this you can file a support ticket using the AWS console and ask for an escalation. Currently this is not actionable by the SDK team.

You can also consider upgrading to Go SDK v2 which uses a different endpoint resolution scheme altogether.

Thanks,
Ran

[RanVaknin]

Hi all,

If this still persists in v2, please open a new issue on our v2 queue.

Thanks,
Ran~

[github-actions]

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.