Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cognito-idp calls are forcefully routed through IPv6 #6485

Closed
2 tasks done
jbernales5 opened this issue Oct 15, 2021 · 13 comments
Closed
2 tasks done

Cognito-idp calls are forcefully routed through IPv6 #6485

jbernales5 opened this issue Oct 15, 2021 · 13 comments
Assignees
Labels
bug This issue is a bug. cognito-idp response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. service-api This issue is due to a problem in a service API, not the SDK implementation.

Comments

@jbernales5
Copy link

Confirm by changing [ ] to [x] below to ensure that it's a bug:

Describe the bug
When performing cli calls with the cognito-idp command, all calls are forcefully routed through IPv6. When using an AWS VPN Client, only IPv4 calls are supported and since we have whitelisted in our organization our AWS VPN IPv4 address, it is impossible for us to perform cognito-related calls through the CLI. It is important to note that calls performed with other services (such as S3) work appropriately (see CloudTrail logs below).

SDK version number
aws-cli/2.2.44 Python/3.8.8 Darwin/

Platform/OS/Hardware/Device
MacOS 11.6

To Reproduce (observed behavior)

  • Create a Client VPN Endpoint and attach to it an Elastic IP Address
  • Setup a policy denying access to all resources unless the calls come from the VPN eIP address
  • Mount the AWS VPN client in the machine
  • Perform an aws cognito-idp call (e.g. aws cognito-idp admin-get-user), this call will fail if your internet connection provides you with an IPv6
  • Perform an aws s3 call (e.g. aws s3 ls <bucket_name>), this call will succeed

Expected behavior

  • When AWS VPN Client is enabled, all Cognito CLI calls should be routed through the VPN IPv4 addresses

Logs/output
Get full traceback and error logs by adding --debug to the command.
A CloudTrail log when trying to perform the aws cognito-idp admin-get-user call:

 "eventTime": "2021-10-15T07:38:00Z",
 "eventSource": "cognito-idp.amazonaws.com",
 "eventName": "AdminGetUser",
 "awsRegion": "eu-west-1",
 "sourceIPAddress": "2a01:cb11:80c:<REDACTED>", // <-------- USAGE OF IPV6
 "userAgent": "aws-cli/2.2.44 Python/3.8.8 Darwin/20.6.0 exe/x86_64 prompt/off command/cognito-idp.admin-get-user",
 "errorCode": "AccessDenied"

Additional context
A CloudTrail log when performing an aws s3 ls <bucket_name>:

"eventTime": "2021-10-15T07:58:40Z",
"eventSource": "s3.amazonaws.com",
"eventName": "ListBuckets",
"awsRegion": "eu-west-1",
"sourceIPAddress": "34.247.<redacted>" // <-------- USAGE OF IPV4
@jbernales5 jbernales5 added the needs-triage This issue or PR still needs to be triaged. label Oct 15, 2021
@stobrien89 stobrien89 self-assigned this Oct 15, 2021
@stobrien89 stobrien89 added guidance Question that needs advice or information. and removed needs-triage This issue or PR still needs to be triaged. labels Oct 15, 2021
@stobrien89
Copy link
Member

Hi @jbernales5,

Sorry to hear you're having issues. Would it be possible for your to provide debug logs by appending --debug to your cognito command? Please obscure any sensitive information, such as account numbers. Thanks!

@jbernales5
Copy link
Author

jbernales5 commented Oct 16, 2021

There you go @stobrien89. Thanks for the interest put into this!

❯ aws cognito-idp admin-get-user --user-pool-id <REDACTED> --username test --debug
2021-10-16 09:49:42,305 - MainThread - awscli.clidriver - DEBUG - CLI version: aws-cli/2.2.44 Python/3.8.8 Darwin/20.6.0 exe/x86_64
2021-10-16 09:49:42,305 - MainThread - awscli.clidriver - DEBUG - Arguments entered to CLI: ['cognito-idp', 'admin-get-user', '--user-pool-id', '<<REDACTED>>', '--username', 'test', '--debug']
2021-10-16 09:49:42,326 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <function add_s3 at 0x7fc30414be50>
2021-10-16 09:49:42,326 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <function add_ddb at 0x7fc3036a54c0>
2021-10-16 09:49:42,326 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <bound method BasicCommand.add_command of <class 'awscli.customizations.configure.configure.ConfigureCommand'>>
2021-10-16 09:49:42,326 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <function change_name at 0x7fc303645c10>
2021-10-16 09:49:42,326 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <function change_name at 0x7fc30364fc10>
2021-10-16 09:49:42,326 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <function alias_opsworks_cm at 0x7fc30415d8b0>
2021-10-16 09:49:42,326 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <function add_history_commands at 0x7fc3036f0280>
2021-10-16 09:49:42,326 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <bound method BasicCommand.add_command of <class 'awscli.customizations.devcommands.CLIDevCommand'>>
2021-10-16 09:49:42,326 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <function add_waiters at 0x7fc304153af0>
2021-10-16 09:49:42,327 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /usr/local/aws-cli/awscli/data/cli.json
2021-10-16 09:49:42,330 - MainThread - botocore.hooks - DEBUG - Event top-level-args-parsed: calling handler <function resolve_types at 0x7fc30379ed30>
2021-10-16 09:49:42,330 - MainThread - botocore.hooks - DEBUG - Event top-level-args-parsed: calling handler <function no_sign_request at 0x7fc3037a18b0>
2021-10-16 09:49:42,330 - MainThread - botocore.hooks - DEBUG - Event top-level-args-parsed: calling handler <function resolve_verify_ssl at 0x7fc3037a1820>
2021-10-16 09:49:42,330 - MainThread - botocore.hooks - DEBUG - Event top-level-args-parsed: calling handler <function resolve_cli_read_timeout at 0x7fc3037a19d0>
2021-10-16 09:49:42,330 - MainThread - botocore.hooks - DEBUG - Event top-level-args-parsed: calling handler <function resolve_cli_connect_timeout at 0x7fc3037a1940>
2021-10-16 09:49:42,331 - MainThread - botocore.hooks - DEBUG - Event top-level-args-parsed: calling handler <built-in method update of dict object at 0x7fc3041f4f00>
2021-10-16 09:49:42,331 - MainThread - awscli.clidriver - DEBUG - CLI version: aws-cli/2.2.44 Python/3.8.8 Darwin/20.6.0 exe/x86_64 prompt/off
2021-10-16 09:49:42,331 - MainThread - awscli.clidriver - DEBUG - Arguments entered to CLI: ['cognito-idp', 'admin-get-user', '--user-pool-id', '<REDACTED>', '--username', 'test', '--debug']
2021-10-16 09:49:42,332 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function add_timestamp_parser at 0x7fc30414f4c0>
2021-10-16 09:49:42,332 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function register_uri_param_handler at 0x7fc3034003a0>
2021-10-16 09:49:42,332 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function add_binary_formatter at 0x7fc3041b9ee0>
2021-10-16 09:49:42,332 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function no_pager_handler at 0x7fc3033fa820>
2021-10-16 09:49:42,332 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function inject_assume_role_provider_cache at 0x7fc303480d30>
2021-10-16 09:49:42,336 - MainThread - botocore.utils - DEBUG - IMDS ENDPOINT: http://169.254.169.254/
2021-10-16 09:49:42,344 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function attach_history_handler at 0x7fc3036f0160>
2021-10-16 09:49:42,344 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function inject_json_file_cache at 0x7fc3036a33a0>
2021-10-16 09:49:42,368 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /usr/local/aws-cli/botocore/data/cognito-idp/2016-04-18/service-2.json
2021-10-16 09:49:42,384 - MainThread - botocore.hooks - DEBUG - Event building-command-table.cognito-idp: calling handler <function add_waiters at 0x7fc304153af0>
2021-10-16 09:49:42,406 - MainThread - awscli.clidriver - DEBUG - OrderedDict([('user-pool-id', <awscli.arguments.CLIArgument object at 0x7fc3045fa2b0>), ('username', <awscli.arguments.CLIArgument object at 0x7fc3045fa340>)])
2021-10-16 09:49:42,406 - MainThread - botocore.hooks - DEBUG - Event building-argument-table.cognito-idp.admin-get-user: calling handler <function add_streaming_output_arg at 0x7fc30414fa60>
2021-10-16 09:49:42,406 - MainThread - botocore.hooks - DEBUG - Event building-argument-table.cognito-idp.admin-get-user: calling handler <function add_cli_input_json at 0x7fc3034875e0>
2021-10-16 09:49:42,407 - MainThread - botocore.hooks - DEBUG - Event building-argument-table.cognito-idp.admin-get-user: calling handler <function add_cli_input_yaml at 0x7fc3034878b0>
2021-10-16 09:49:42,407 - MainThread - botocore.hooks - DEBUG - Event building-argument-table.cognito-idp.admin-get-user: calling handler <function unify_paging_params at 0x7fc3036a5af0>
2021-10-16 09:49:42,435 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /usr/local/aws-cli/botocore/data/cognito-idp/2016-04-18/paginators-1.json
2021-10-16 09:49:42,435 - MainThread - botocore.hooks - DEBUG - Event building-argument-table.cognito-idp.admin-get-user: calling handler <function add_generate_skeleton at 0x7fc30379e310>
2021-10-16 09:49:42,436 - MainThread - botocore.hooks - DEBUG - Event before-building-argument-table-parser.cognito-idp.admin-get-user: calling handler <bound method OverrideRequiredArgsArgument.override_required_args of <awscli.customizations.cliinput.CliInputJSONArgument object at 0x7fc3045fa250>>
2021-10-16 09:49:42,436 - MainThread - botocore.hooks - DEBUG - Event before-building-argument-table-parser.cognito-idp.admin-get-user: calling handler <bound method OverrideRequiredArgsArgument.override_required_args of <awscli.customizations.cliinput.CliInputYAMLArgument object at 0x7fc3045fa220>>
2021-10-16 09:49:42,436 - MainThread - botocore.hooks - DEBUG - Event before-building-argument-table-parser.cognito-idp.admin-get-user: calling handler <bound method GenerateCliSkeletonArgument.override_required_args of <awscli.customizations.generatecliskeleton.GenerateCliSkeletonArgument object at 0x7fc3045fa550>>
2021-10-16 09:49:42,436 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.cognito-idp.admin-get-user.user-pool-id: calling handler <awscli.paramfile.URIArgumentHandler object at 0x7fc304228220>
2021-10-16 09:49:42,436 - MainThread - botocore.hooks - DEBUG - Event process-cli-arg.cognito-idp.admin-get-user: calling handler <awscli.argprocess.ParamShorthandParser object at 0x7fc303433fd0>
2021-10-16 09:49:42,437 - MainThread - awscli.arguments - DEBUG - Unpacked value of '<REDACTED>' for parameter "user_pool_id": '<REDACTED>'
2021-10-16 09:49:42,437 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.cognito-idp.admin-get-user.username: calling handler <awscli.paramfile.URIArgumentHandler object at 0x7fc304228220>
2021-10-16 09:49:42,437 - MainThread - botocore.hooks - DEBUG - Event process-cli-arg.cognito-idp.admin-get-user: calling handler <awscli.argprocess.ParamShorthandParser object at 0x7fc303433fd0>
2021-10-16 09:49:42,437 - MainThread - awscli.arguments - DEBUG - Unpacked value of 'test' for parameter "username": 'test'
2021-10-16 09:49:42,437 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.cognito-idp.admin-get-user.cli-input-json: calling handler <awscli.paramfile.URIArgumentHandler object at 0x7fc304228220>
2021-10-16 09:49:42,437 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.cognito-idp.admin-get-user.cli-input-yaml: calling handler <awscli.paramfile.URIArgumentHandler object at 0x7fc304228220>
2021-10-16 09:49:42,437 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.cognito-idp.admin-get-user.generate-cli-skeleton: calling handler <awscli.paramfile.URIArgumentHandler object at 0x7fc304228220>
2021-10-16 09:49:42,437 - MainThread - botocore.hooks - DEBUG - Event calling-command.cognito-idp.admin-get-user: calling handler <bound method CliInputArgument.add_to_call_parameters of <awscli.customizations.cliinput.CliInputJSONArgument object at 0x7fc3045fa250>>
2021-10-16 09:49:42,437 - MainThread - botocore.hooks - DEBUG - Event calling-command.cognito-idp.admin-get-user: calling handler <bound method CliInputArgument.add_to_call_parameters of <awscli.customizations.cliinput.CliInputYAMLArgument object at 0x7fc3045fa220>>
2021-10-16 09:49:42,437 - MainThread - botocore.hooks - DEBUG - Event calling-command.cognito-idp.admin-get-user: calling handler <bound method GenerateCliSkeletonArgument.generate_skeleton of <awscli.customizations.generatecliskeleton.GenerateCliSkeletonArgument object at 0x7fc3045fa550>>
2021-10-16 09:49:42,437 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: env
2021-10-16 09:49:42,437 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: assume-role
2021-10-16 09:49:42,438 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: assume-role-with-web-identity
2021-10-16 09:49:42,438 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: sso
2021-10-16 09:49:42,439 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /usr/local/aws-cli/botocore/data/endpoints.json
2021-10-16 09:49:42,447 - MainThread - botocore.hooks - DEBUG - Event choose-service-name: calling handler <function handle_service_name_alias at 0x7fc30222edc0>
2021-10-16 09:49:42,449 - MainThread - botocore.hooks - DEBUG - Event creating-client-class.cognito-identity-provider: calling handler <function add_generate_presigned_url at 0x7fc3021993a0>
2021-10-16 09:49:42,499 - MainThread - botocore.endpoint - DEBUG - Setting cognito-idp timeout as (60, 60)
2021-10-16 09:49:42,501 - MainThread - botocore.hooks - DEBUG - Event provide-client-params.cognito-identity-provider.AdminGetUser: calling handler <function base64_decode_input_blobs at 0x7fc3041bb670>
2021-10-16 09:49:42,502 - MainThread - botocore.hooks - DEBUG - Event before-parameter-build.cognito-identity-provider.AdminGetUser: calling handler <function generate_idempotent_uuid at 0x7fc302252dc0>
2021-10-16 09:49:42,503 - MainThread - botocore.hooks - DEBUG - Event before-call.cognito-identity-provider.AdminGetUser: calling handler <function inject_api_version_header_if_needed at 0x7fc302259670>
2021-10-16 09:49:42,503 - MainThread - botocore.endpoint - DEBUG - Making request for OperationModel(name=AdminGetUser) with params: {'url_path': '/', 'query_string': '', 'method': 'POST', 'headers': {'X-Amz-Target': 'AWSCognitoIdentityProviderService.AdminGetUser', 'Content-Type': 'application/x-amz-json-1.1', 'User-Agent': 'aws-cli/2.2.44 Python/3.8.8 Darwin/20.6.0 exe/x86_64 prompt/off command/cognito-idp.admin-get-user'}, 'body': b'{"UserPoolId": "<REDACTED>", "Username": "test"}', 'url': 'https://cognito-idp.eu-west-1.amazonaws.com/', 'context': {'client_region': 'eu-west-1', 'client_config': <botocore.config.Config object at 0x7fc304904790>, 'has_streaming_input': False, 'auth_type': None}}
2021-10-16 09:49:42,504 - MainThread - botocore.hooks - DEBUG - Event request-created.cognito-identity-provider.AdminGetUser: calling handler <bound method RequestSigner.handler of <botocore.signers.RequestSigner object at 0x7fc304904760>>
2021-10-16 09:49:42,504 - MainThread - botocore.hooks - DEBUG - Event choose-signer.cognito-identity-provider.AdminGetUser: calling handler <function set_operation_specific_signer at 0x7fc302252ca0>
2021-10-16 09:49:42,507 - MainThread - botocore.credentials - DEBUG - Credentials for role retrieved from cache.
2021-10-16 09:49:42,508 - MainThread - botocore.credentials - DEBUG - Retrieved credentials will expire at: 2021-10-16 11:49:13+00:00
2021-10-16 09:49:42,509 - MainThread - botocore.auth - DEBUG - Calculating signature using v4 auth.
2021-10-16 09:49:42,509 - MainThread - botocore.auth - DEBUG - CanonicalRequest:
POST
/

content-type:application/x-amz-json-1.1
host:cognito-idp.eu-west-1.amazonaws.com
x-amz-date:20211016T074942Z
x-amz-security-token:<REDACTED>
x-amz-target:AWSCognitoIdentityProviderService.AdminGetUser

content-type;host;x-amz-date;x-amz-security-token;x-amz-target
1deda14df36accaf339eb8ee28b90cdf6a737890deedd46bc00558463328b4cd
2021-10-16 09:49:42,509 - MainThread - botocore.auth - DEBUG - StringToSign:
AWS4-HMAC-SHA256
20211016T074942Z
20211016/eu-west-1/cognito-idp/aws4_request
946db4520dfd5ce88de62e215821a32208f3c72f61d599a9c23ebe399ca6dad4
2021-10-16 09:49:42,510 - MainThread - botocore.auth - DEBUG - Signature:
0ee5c117cd9f3929a0b88207a15249689f27790339d675b57801ee3959a0123c
2021-10-16 09:49:42,510 - MainThread - botocore.endpoint - DEBUG - Sending http request: <AWSPreparedRequest stream_output=False, method=POST, url=https://cognito-idp.eu-west-1.amazonaws.com/, headers={'X-Amz-Target': b'AWSCognitoIdentityProviderService.AdminGetUser', 'Content-Type': b'application/x-amz-json-1.1', 'User-Agent': b'aws-cli/2.2.44 Python/3.8.8 Darwin/20.6.0 exe/x86_64 prompt/off command/cognito-idp.admin-get-user', 'X-Amz-Date': b'20211016T074942Z', 'X-Amz-Security-Token': b'<REDACTED>', 'Authorization': b'AWS4-HMAC-SHA256 Credential=<REDACTED>/20211016/eu-west-1/cognito-idp/aws4_request, SignedHeaders=content-type;host;x-amz-date;x-amz-security-token;x-amz-target, Signature=0ee5c117cd9f3929a0b88207a15249689f27790339d675b57801ee3959a0123c', 'Content-Length': '57'}>
2021-10-16 09:49:42,511 - MainThread - botocore.httpsession - DEBUG - Certificate path: /usr/local/aws-cli/botocore/cacert.pem
2021-10-16 09:49:42,512 - MainThread - urllib3.connectionpool - DEBUG - Starting new HTTPS connection (1): cognito-idp.eu-west-1.amazonaws.com:443
2021-10-16 09:49:42,759 - MainThread - urllib3.connectionpool - DEBUG - https://cognito-idp.eu-west-1.amazonaws.com:443 "POST / HTTP/1.1" 400 367
2021-10-16 09:49:42,760 - MainThread - botocore.parsers - DEBUG - Response headers: {'Date': 'Sat, 16 Oct 2021 07:49:42 GMT', 'Content-Type': 'application/x-amz-json-1.1', 'Content-Length': '367', 'Connection': 'keep-alive', 'x-amzn-RequestId': '9728a48a-6361-4620-b530-32f3b7004fed', 'x-amzn-ErrorType': 'AccessDeniedException:'}
2021-10-16 09:49:42,760 - MainThread - botocore.parsers - DEBUG - Response body:
b'{"__type":"AccessDeniedException","Message":"User: arn:aws:sts::<REDACTED>:assumed-role/AWSReservedSSO<REDACTED>/<REDACTED> is not authorized to perform: cognito-idp:AdminGetUser on resource: arn:aws:cognito-idp:eu-west-1:<REDACTED>:userpool/<REDACTED> with an explicit deny in an identity-based policy"}'
2021-10-16 09:49:42,765 - MainThread - botocore.hooks - DEBUG - Event needs-retry.cognito-identity-provider.AdminGetUser: calling handler <bound method RetryHandler.needs_retry of <botocore.retries.standard.RetryHandler object at 0x7fc3049092e0>>
2021-10-16 09:49:42,766 - MainThread - botocore.retries.standard - DEBUG - Not retrying request.
2021-10-16 09:49:42,766 - MainThread - botocore.hooks - DEBUG - Event after-call.cognito-identity-provider.AdminGetUser: calling handler <bound method RetryQuotaChecker.release_retry_quota of <botocore.retries.standard.RetryQuotaChecker object at 0x7fc304904e20>>
2021-10-16 09:49:42,768 - MainThread - awscli.clidriver - DEBUG - Exception caught in main()
Traceback (most recent call last):
  File "awscli/clidriver.py", line 459, in main
  File "awscli/clidriver.py", line 594, in __call__
  File "awscli/clidriver.py", line 770, in __call__
  File "awscli/clidriver.py", line 901, in invoke
  File "awscli/clidriver.py", line 913, in _make_client_call
  File "botocore/client.py", line 278, in _api_call
  File "botocore/client.py", line 597, in _make_api_call
botocore.exceptions.ClientError: An error occurred (AccessDeniedException) when calling the AdminGetUser operation: User: arn:aws:sts::<REDACTED>:assumed-role/AWSReservedSSO<REDACTED>/<REDACTED> is not authorized to perform: cognito-idp:AdminGetUser on resource: arn:aws:cognito-idp:eu-west-1:<REDACTED>:userpool/<REDACTED> with an explicit deny in an identity-based policy

An error occurred (AccessDeniedException) when calling the AdminGetUser operation: User: arn:aws:sts::<REDACTED>:assumed-role/AWSReservedSSO<REDACTED>/<REDACTED> is not authorized to perform: cognito-idp:AdminGetUser on resource: arn:aws:cognito-idp:eu-west-1:<REDACTED>:userpool/<REDACTED> with an explicit deny in an identity-based policy

@stobrien89
Copy link
Member

Hi @jbernales5,

Sorry for the delay— Thanks for sending the additional information! To my knowledge, the CLI does not have a way to influence the types of IP addresses used for a given API call, but I'm going to reach out to the Cognito service team to see if they can provide an explanation for this behavior, or any alternatives that could be considered. I'll let you know as soon as I have an update!

@adzney
Copy link

adzney commented Oct 20, 2021 via email

@stobrien89
Copy link
Member

P54144954

@jbernales5
Copy link
Author

Hello @stobrien89 , any updates regarding this?

Thanks in advance!

@kdaily
Copy link
Member

kdaily commented Oct 28, 2021

Hi @jbernales5,

Thanks for checking in. The AWS Cognito team is aware of this and is looking into it. No ETA on when we'll hear back.

@stobrien89 stobrien89 added bug This issue is a bug. service-api This issue is due to a problem in a service API, not the SDK implementation. and removed guidance Question that needs advice or information. labels Nov 11, 2021
@jbernales5
Copy link
Author

Hi again @kdaily and @stobrien89. Have you had any return regarding this issue from the Cognito team? Are they aware of the issue?

Thanks in advance!

@stobrien89
Copy link
Member

Hi @jbernales5,

Both the Client VPN and Cognito teams have been investigating this, but there have not been any recent updates. I just reached out to request an update and will let you know as soon as I hear anything!

@stobrien89
Copy link
Member

Hi @jbernales5,

Thank you so much for your patience. I did get an update from the Client VPN and Cognito teams, who are still investigating the situation, but they wanted to know if you've tried routing IPv6 traffic through the VPN tunnel to prevent IPv6 leaks, as described in this article?

@stobrien89 stobrien89 added the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Dec 7, 2021
@stobrien89
Copy link
Member

Hi @jbernales5,

Closing this for now, but let us know if you're still having issues!

@github-actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.

@josechifflet
Copy link

Hello,

Im experiencing this issue. Only from MacOs devices. Im using Amazon Cognito Identity SDK for JavaScript for connecting with the cognito pool from a react web app and the requests are being blocked by a regional AWS Waf because the requests sents the ipv6 in headers as source.

Request headers:

POST /
content-length: 1914
referer: http://localhost:3000/
x-amzn-tls-version: TLSv1.2
sec-fetch-site: cross-site
origin: http://localhost:3000
x-amzn-cognito-client-id: ************
x-forwarded-port: 443
x-amz-user-agent: aws-amplify/5.0.4 js
x-amzn-tls-cipher-suite: ECDHE-RSA-AES128-GCM-SHA256
x-amz-target: AWSCognitoIdentityProviderService.InitiateAuth
sec-ch-ua-mobile: ?0
host: cognito-idp.us-west-2.amazonaws.com
content-type: application/x-amz-json-1.1
cache-control: max-age=0
sec-fetch-mode: cors
x-forwarded-proto: https
accept-language: es-419,es;q=0.9
x-forwarded-for: 2800:a4:*:*:*:*:*:f83f <============================ IPV6 is being sent in the headers
x-amzn-cognito-operation-name: InitiateAuth
accept: */*
sec-ch-ua: "Google Chrome";v="107", "Chromium";v="107", "Not=A?Brand";v="24"
x-amzn-trace-id: Root=1-*
sec-ch-ua-platform: "macOS"
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
sec-fetch-dest: empty

@jbernales5

Any thoughts?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug This issue is a bug. cognito-idp response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. service-api This issue is due to a problem in a service API, not the SDK implementation.
Projects
None yet
Development

No branches or pull requests

6 participants