`AWS_USE_FIPS_ENDPOINT` should handle non-existing fips endpoints
CharmanderJieniJieni opened this issue · comments
Describe the bug
We have AWS_USE_FIPS_ENDPOINT
enabled and noticed that if we are making aws cli calls to regions which does not support fips service endpoint, AWS CLI still tries to append -fips
in the api call which ends up with DNS resolving error.
Expected Behavior
For example, If I enable AWS_USE_FIPS_ENDPOINT
and then do a aws s3 ls --region ap-southeast-1
. The API call should redirect to "https://s3.ap-southeast-1.amazonaws.com/" since FIPs service endpoint is not in this region
Current Behavior
Currently will get below error
"https://s3-fips.ap-southeast-1.amazonaws.com/": dial tcp: lookup s3-fips.ap-southeast-1.amazonaws.com on 127.0.0.53:53: no such host
Reproduction Steps
- Enable
AWS_USE_FIPS_ENDPOINT
- aws s3 ls --region ap-southeast-1
Possible Solution
No response
Additional Information/Context
No response
CLI version used
2.16.9
Environment details (OS name and version, etc.)
Ubuntu 20
Thanks for reaching out. Here are the currently supported FIPS endpoints for reference: https://aws.amazon.com/compliance/fips/. The AWS CLI is working as intended here and resolving to the correct endpoint when AWS_USE_FIPS_ENDPOINT
is set. There are not plans to support a redirect for non-FIPS supported regions. You can manually specify the endpoint URL if necessary by using aws s3 ls --endpoint-url https://s3.ap-southeast-1.amazonaws.com
This issue is now closed. Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.