Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

SQS FIPS Endpont ENOTFOUND in GovCloud (US)

See original GitHub issue

Describe the bug

Using the new features in v3.40.0 to pass useFipsEndpoint: true, the endpoint URL for SQS (and possibly other services) in the AWS GovCloud (US) partition, and specifically in us-gov-west-1 is invalid according to https://aws.amazon.com/compliance/fips/ and is not a resolvable hostname.

Your environment

SDK version number

@aws-sdk/client-sqs@3.40.0

Is the issue in the browser/Node.js/ReactNative?

Node.js (but likely all)

Details of the browser/Node.js/ReactNative version

Current Node.js version using in the Node.js 14.x Lambda runtime

Steps to reproduce

import { SQSClient } from "@aws-sdk/client-sqs";
const sqs = SQSClient({ useFipsEndpoint: true, region: "us-gov-west-1" });
sqs.send(new SendMessageCommand({ QueueUrl: process.env.QUEUE_URL, MessageBody: JSON.stringify({ "message": "Hello world"})});

Observed behavior

The created URL is sqs-fips.us-gov-west-1.amazonaws.com. This results in an ENOTFOUND error in Lambda when trying to hit the endpoint. It is not possible to resolve sqs-fips.us-gov-west-1.amazonaws.com.

getaddrinfo ENOTFOUND sqs-fips.us-gov-west-1.amazonaws.com

Expected behavior

Per https://aws.amazon.com/compliance/fips/ the proper endpoint is sqs.us-gov-west-1.amazonaws.com. That host does resolve.

Additional context

Add any other context about the problem here. https://github.com/aws/aws-sdk-js-v3/blob/main/clients/client-sqs/src/endpoints.ts#L4 seems to be correct so I am not sure where -fips is getting injected. Do the “regular” us-gov- region endpoints need to be tagged as fips and dualstack?

Issue Analytics

State:
Created 2 years ago
Comments:6 (4 by maintainers)

Top GitHub Comments

3reactions

trivikrcommented, Nov 8, 2021

Checking internally on what should be the right behavior.

Update: This bug exists in all AWS SDKs, and a service level default variant needs to be defined for SQS to not include -fips in FIPS endpoints in gov partition.

The AWS SDK for JavaScript (v3) will pick up the fix when endpoints.json is updated.

2reactions

trivikrcommented, Nov 8, 2021

Verified that sqs-fips.us-gov-west-1.amazonaws.com is returned when useFipsEndpoint is set to true in @aws-sdk/client-sqs@v3.40.0

Code

import { SQSClient } from "@aws-sdk/client-sqs"; // v3.40.0

const region = "us-gov-west-1";
const useFipsEndpoint = true;

const client = new SQSClient({ region, useFipsEndpoint });
console.log(await client.config.endpoint());

Output

{
  hostname: 'sqs-fips.us-gov-west-1.amazonaws.com',
  port: undefined,
  protocol: 'https:',
  path: '/',
  query: undefined
}

Top Results From Across the Web

Service Endpoints - AWS GovCloud (US)

These HTTPS endpoints are referred to as the control plane used to configure AWS services. If you require FIPS 140-2 compliance you should...

Incorrect Cloudformation endpoint in AWS GovCloud #11578

It looks like Serverless is pointing to an incorrect Cloudformation endpoint when used in GovCloud. ... According to the AWS documentation, the FIPS...

How to enable FIPS endpoint for govcloud AWS gateway (for ...

I have a invoke URL as follows: https://ccvddddXXXXX.execute-api.us-gov-west-1.amazonaws.com/beta I want to implement a FIPS endpoint (so that we are TLS ...

How to enable FIPS endpoint for govcloud AWS gateway (for ...

According to official govcloud docs: All API Gateway APIs created in GovCloud regions are FIPS-compliant by default.

AWS Storage Gateway adds support for FIPS 140-2 compliant ...

Your gateway will connect to the FIPS endpoint to activate in your chosen AWS GovCloud (US) Region, and all data subsequently transferred by ......