From 690f1f768c7b01f95da453eab372070fb43916fe Mon Sep 17 00:00:00 2001 From: Reed Loden Date: Wed, 29 Nov 2023 15:37:13 -0800 Subject: [PATCH] Revert "[v14] Disable AWS IMDSv1 fallback and enforce use of FIPS endpoints" This reverts commit fb4e20a2df99237841a31c1fc70b38093f373333 (#34433). After discussion, keeping this change on `master` only, as it has already caused one customer regression (#34804). --- examples/teleport-usage/go.mod | 2 +- examples/teleport-usage/go.sum | 32 +++++++++++++++++++++++-- examples/teleport-usage/main.go | 14 ----------- lib/auth/join_iam.go | 5 ++-- lib/backend/dynamo/dynamodbbk.go | 11 --------- lib/cloud/clients.go | 14 ----------- lib/configurators/aws/aws.go | 15 +----------- lib/events/dynamoevents/dynamoevents.go | 3 --- lib/events/s3sessions/s3handler.go | 2 -- lib/srv/app/cloud.go | 10 -------- lib/utils/aws/signing.go | 11 --------- 11 files changed, 34 insertions(+), 85 deletions(-) diff --git a/examples/teleport-usage/go.mod b/examples/teleport-usage/go.mod index eaf6665957da9..19d63895948d9 100644 --- a/examples/teleport-usage/go.mod +++ b/examples/teleport-usage/go.mod @@ -3,7 +3,7 @@ module usage-script go 1.19 require ( - github.com/aws/aws-sdk-go v1.47.4 + github.com/aws/aws-sdk-go v1.44.269 github.com/stretchr/testify v1.8.3 ) diff --git a/examples/teleport-usage/go.sum b/examples/teleport-usage/go.sum index ba1d2e24403b0..fd9caf8223a55 100644 --- a/examples/teleport-usage/go.sum +++ b/examples/teleport-usage/go.sum @@ -1,5 +1,5 @@ -github.com/aws/aws-sdk-go v1.47.4 h1:IyhNbmPt+5ldi5HNzv7ZnXiqSglDMaJiZlzj4Yq3qnk= -github.com/aws/aws-sdk-go v1.47.4/go.mod h1:LF8svs817+Nz+DmiMQKTO3ubZ/6IaTpq3TjupRn3Eqk= +github.com/aws/aws-sdk-go v1.44.269 h1:NUNq++KMjhWUVVUIx7HYLgBpX16bWfTY1EdQRraLALo= +github.com/aws/aws-sdk-go v1.44.269/go.mod h1:aVsgQcEevwlmQ7qHE9I3h+dtQgpqhFB+i8Phjh7fkwI= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= @@ -7,11 +7,39 @@ github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9Y github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo= github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGwWFoC7ycTf1rcQZHOlsJ6N8= github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U= +github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/testify v1.8.3 h1:RP3t2pwF7cMEbC1dqtB6poj3niw/9gnV4Cjg5oW5gtY= github.com/stretchr/testify v1.8.3/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= +github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= +golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= +golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= +golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= +golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= +golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= +golang.org/x/net v0.1.0/go.mod h1:Cx3nUiGt4eDBEyega/BKRp+/AlGL8hYe7U9odMt2Cco= +golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= +golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= +golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= +golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= +golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= +golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= +golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/yaml.v2 v2.2.8 h1:obN1ZagJSUGI0Ek/LBmuj4SNLPfIny3KsKFopxRdj10= diff --git a/examples/teleport-usage/main.go b/examples/teleport-usage/main.go index 79d194d41f673..5e663a60b17e3 100644 --- a/examples/teleport-usage/main.go +++ b/examples/teleport-usage/main.go @@ -17,21 +17,18 @@ limitations under the License. package main import ( - "crypto/sha256" "errors" "fmt" "log" "math" "math/rand" "os" - "reflect" "strconv" "strings" "time" "github.com/aws/aws-sdk-go/aws" "github.com/aws/aws-sdk-go/aws/awserr" - "github.com/aws/aws-sdk-go/aws/endpoints" awsrequest "github.com/aws/aws-sdk-go/aws/request" awssession "github.com/aws/aws-sdk-go/aws/session" "github.com/aws/aws-sdk-go/service/dynamodb" @@ -64,15 +61,6 @@ func main() { // If this is too high and we encounter throttling that could impede Teleport, it will be adjusted automatically. limiter := newAdaptiveRateLimiter(25) - // Check the package name for one of the boring primitives. If the package - // path is from BoringCrypto, we know this binary was compiled using - // `GOEXPERIMENT=boringcrypto`. - hash := sha256.New() - useFIPSEndpoint := endpoints.FIPSEndpointStateUnset - if reflect.TypeOf(hash).Elem().PkgPath() == "crypto/internal/boring" { - useFIPSEndpoint = endpoints.FIPSEndpointStateEnabled - } - // create an AWS session using default SDK behavior, i.e. it will interpret // the environment and ~/.aws directory just like an AWS CLI tool would: session, err := awssession.NewSessionWithOptions(awssession.Options{ @@ -81,8 +69,6 @@ func main() { Retryer: limiter, Region: aws.String(params.awsRegion), CredentialsChainVerboseErrors: aws.Bool(true), - EC2MetadataEnableFallback: aws.Bool(false), - UseFIPSEndpoint: useFIPSEndpoint, }, }) if err != nil { diff --git a/lib/auth/join_iam.go b/lib/auth/join_iam.go index 54367306c1512..9b87d0888f6ab 100644 --- a/lib/auth/join_iam.go +++ b/lib/auth/join_iam.go @@ -439,9 +439,8 @@ func createSignedSTSIdentityRequest(ctx context.Context, challenge string, opts func newSTSClient(ctx context.Context, cfg *stsIdentityRequestConfig) (*sts.STS, error) { awsConfig := awssdk.Config{ - EC2MetadataEnableFallback: awssdk.Bool(false), - UseFIPSEndpoint: cfg.fipsEndpointOption, - STSRegionalEndpoint: cfg.regionalEndpointOption, + UseFIPSEndpoint: cfg.fipsEndpointOption, + STSRegionalEndpoint: cfg.regionalEndpointOption, } sess, err := session.NewSessionWithOptions(session.Options{ SharedConfigState: session.SharedConfigEnable, diff --git a/lib/backend/dynamo/dynamodbbk.go b/lib/backend/dynamo/dynamodbbk.go index 91834007174c2..a06773e9d6b36 100644 --- a/lib/backend/dynamo/dynamodbbk.go +++ b/lib/backend/dynamo/dynamodbbk.go @@ -29,7 +29,6 @@ import ( "github.com/aws/aws-sdk-go/aws" "github.com/aws/aws-sdk-go/aws/awserr" "github.com/aws/aws-sdk-go/aws/credentials" - "github.com/aws/aws-sdk-go/aws/endpoints" "github.com/aws/aws-sdk-go/aws/session" "github.com/aws/aws-sdk-go/service/applicationautoscaling" "github.com/aws/aws-sdk-go/service/dynamodb" @@ -44,7 +43,6 @@ import ( "github.com/gravitational/teleport/api/utils" "github.com/gravitational/teleport/lib/backend" "github.com/gravitational/teleport/lib/defaults" - "github.com/gravitational/teleport/lib/modules" dynamometrics "github.com/gravitational/teleport/lib/observability/metrics/dynamo" ) @@ -235,19 +233,10 @@ func New(ctx context.Context, params backend.Params) (*Backend, error) { clock: clockwork.NewRealClock(), buf: buf, } - // determine if the FIPS endpoints should be used - useFIPSEndpoint := endpoints.FIPSEndpointStateUnset - if modules.GetModules().IsBoringBinary() { - useFIPSEndpoint = endpoints.FIPSEndpointStateEnabled - } // create an AWS session using default SDK behavior, i.e. it will interpret // the environment and ~/.aws directory just like an AWS CLI tool would: b.session, err = session.NewSessionWithOptions(session.Options{ SharedConfigState: session.SharedConfigEnable, - Config: aws.Config{ - EC2MetadataEnableFallback: aws.Bool(false), - UseFIPSEndpoint: useFIPSEndpoint, - }, }) if err != nil { return nil, trace.Wrap(err) diff --git a/lib/cloud/clients.go b/lib/cloud/clients.go index 091c98f838613..c79c25d01ac10 100644 --- a/lib/cloud/clients.go +++ b/lib/cloud/clients.go @@ -983,19 +983,12 @@ func (c *TestCloudClients) GetAWSSession(ctx context.Context, region string, opt // GetAWSSession returns AWS session for the specified region. func (c *TestCloudClients) getAWSSessionForRegion(region string) (*awssession.Session, error) { - useFIPSEndpoint := endpoints.FIPSEndpointStateUnset - if modules.GetModules().IsBoringBinary() { - useFIPSEndpoint = endpoints.FIPSEndpointStateEnabled - } - return awssession.NewSession(&aws.Config{ Credentials: credentials.NewCredentials(&credentials.StaticProvider{Value: credentials.Value{ AccessKeyID: "fakeClientKeyID", SecretAccessKey: "fakeClientSecret", }}), Region: aws.String(region), - EC2MetadataEnableFallback: aws.Bool(false), - UseFIPSEndpoint: useFIPSEndpoint, }) } @@ -1240,18 +1233,11 @@ func newSessionWithRole(ctx context.Context, svc stscreds.AssumeRoler, region, r } func buildAWSSessionOptions(region string, cred *credentials.Credentials) awssession.Options { - useFIPSEndpoint := endpoints.FIPSEndpointStateUnset - if modules.GetModules().IsBoringBinary() { - useFIPSEndpoint = endpoints.FIPSEndpointStateEnabled - } - return awssession.Options{ SharedConfigState: awssession.SharedConfigEnable, Config: aws.Config{ Region: aws.String(region), Credentials: cred, - EC2MetadataEnableFallback: aws.Bool(false), - UseFIPSEndpoint: useFIPSEndpoint, }, } } diff --git a/lib/configurators/aws/aws.go b/lib/configurators/aws/aws.go index bc0c89e9bb504..c8c862605c026 100644 --- a/lib/configurators/aws/aws.go +++ b/lib/configurators/aws/aws.go @@ -23,7 +23,6 @@ import ( "github.com/aws/aws-sdk-go/aws" "github.com/aws/aws-sdk-go/aws/arn" "github.com/aws/aws-sdk-go/aws/awserr" - "github.com/aws/aws-sdk-go/aws/endpoints" awssession "github.com/aws/aws-sdk-go/aws/session" "github.com/aws/aws-sdk-go/service/iam" "github.com/aws/aws-sdk-go/service/iam/iamiface" @@ -42,7 +41,6 @@ import ( awslib "github.com/gravitational/teleport/lib/cloud/aws" "github.com/gravitational/teleport/lib/configurators" "github.com/gravitational/teleport/lib/defaults" - "github.com/gravitational/teleport/lib/modules" "github.com/gravitational/teleport/lib/service/servicecfg" "github.com/gravitational/teleport/lib/services" "github.com/gravitational/teleport/lib/srv/db/secrets" @@ -314,11 +312,6 @@ func (c *ConfiguratorConfig) CheckAndSetDefaults() error { return trace.BadParameter("config file is required") } - useFIPSEndpoint := endpoints.FIPSEndpointStateUnset - if modules.GetModules().IsBoringBinary() { - useFIPSEndpoint = endpoints.FIPSEndpointStateEnabled - } - // When running the command in manual mode, we want to have zero dependency // with AWS configurations (like awscli or environment variables), so that // the user can run this command and generate the instructions without any @@ -329,10 +322,6 @@ func (c *ConfiguratorConfig) CheckAndSetDefaults() error { if c.AWSSession == nil { c.AWSSession, err = awssession.NewSessionWithOptions(awssession.Options{ SharedConfigState: awssession.SharedConfigEnable, - Config: aws.Config{ - EC2MetadataEnableFallback: aws.Bool(false), - UseFIPSEndpoint: useFIPSEndpoint, - }, }) if err != nil { return trace.Wrap(err) @@ -363,9 +352,7 @@ func (c *ConfiguratorConfig) CheckAndSetDefaults() error { } session, err := awssession.NewSessionWithOptions(awssession.Options{ Config: aws.Config{ - Region: ®ion, - EC2MetadataEnableFallback: aws.Bool(false), - UseFIPSEndpoint: useFIPSEndpoint, + Region: ®ion, }, SharedConfigState: awssession.SharedConfigEnable, }) diff --git a/lib/events/dynamoevents/dynamoevents.go b/lib/events/dynamoevents/dynamoevents.go index bb77d435c5da7..a3f0847896cd5 100644 --- a/lib/events/dynamoevents/dynamoevents.go +++ b/lib/events/dynamoevents/dynamoevents.go @@ -283,9 +283,6 @@ func New(ctx context.Context, cfg Config) (*Log, error) { // Explicitly enable or disable FIPS endpoints for DynamoDB b.session.Config.UseFIPSEndpoint = events.FIPSProtoStateToAWSState(cfg.UseFIPSEndpoint) - // Explicitly disable IMDSv1 fallback - b.session.Config.EC2MetadataEnableFallback = aws.Bool(false) - // create DynamoDB service: svc, err := dynamometrics.NewAPIMetrics(dynamometrics.Events, dynamodb.New(b.session)) if err != nil { diff --git a/lib/events/s3sessions/s3handler.go b/lib/events/s3sessions/s3handler.go index 58e98dafdc83d..3c6f1d7602e1c 100644 --- a/lib/events/s3sessions/s3handler.go +++ b/lib/events/s3sessions/s3handler.go @@ -178,8 +178,6 @@ func (s *Config) CheckAndSetDefaults() error { sess.Config.Credentials = s.Credentials } - sess.Config.EC2MetadataEnableFallback = aws.Bool(false) - sess.Config.UseFIPSEndpoint = events.FIPSProtoStateToAWSState(s.UseFIPSEndpoint) s.Session = sess diff --git a/lib/srv/app/cloud.go b/lib/srv/app/cloud.go index 76c97cd6528e1..210cc40b96d38 100644 --- a/lib/srv/app/cloud.go +++ b/lib/srv/app/cloud.go @@ -29,14 +29,12 @@ import ( "github.com/aws/aws-sdk-go/aws/credentials/ec2rolecreds" "github.com/aws/aws-sdk-go/aws/credentials/ssocreds" "github.com/aws/aws-sdk-go/aws/credentials/stscreds" - "github.com/aws/aws-sdk-go/aws/endpoints" awssession "github.com/aws/aws-sdk-go/aws/session" "github.com/gravitational/trace" "github.com/jonboulle/clockwork" "github.com/sirupsen/logrus" "github.com/gravitational/teleport/api/constants" - "github.com/gravitational/teleport/lib/modules" "github.com/gravitational/teleport/lib/tlsca" awsutils "github.com/gravitational/teleport/lib/utils/aws" ) @@ -95,16 +93,8 @@ type CloudConfig struct { // CheckAndSetDefaults validates the config. func (c *CloudConfig) CheckAndSetDefaults() error { if c.Session == nil { - useFIPSEndpoint := endpoints.FIPSEndpointStateUnset - if modules.GetModules().IsBoringBinary() { - useFIPSEndpoint = endpoints.FIPSEndpointStateEnabled - } session, err := awssession.NewSessionWithOptions(awssession.Options{ SharedConfigState: awssession.SharedConfigEnable, - Config: aws.Config{ - EC2MetadataEnableFallback: aws.Bool(false), - UseFIPSEndpoint: useFIPSEndpoint, - }, }) if err != nil { return trace.Wrap(err) diff --git a/lib/utils/aws/signing.go b/lib/utils/aws/signing.go index e45f55153407a..858bd26763bf0 100644 --- a/lib/utils/aws/signing.go +++ b/lib/utils/aws/signing.go @@ -23,13 +23,10 @@ import ( "net/http" "time" - "github.com/aws/aws-sdk-go/aws" - "github.com/aws/aws-sdk-go/aws/endpoints" awssession "github.com/aws/aws-sdk-go/aws/session" "github.com/gravitational/trace" "github.com/jonboulle/clockwork" - "github.com/gravitational/teleport/lib/modules" "github.com/gravitational/teleport/lib/utils" ) @@ -66,16 +63,8 @@ func (s *SigningServiceConfig) CheckAndSetDefaults() error { s.Clock = clockwork.NewRealClock() } if s.Session == nil { - useFIPSEndpoint := endpoints.FIPSEndpointStateUnset - if modules.GetModules().IsBoringBinary() { - useFIPSEndpoint = endpoints.FIPSEndpointStateEnabled - } ses, err := awssession.NewSessionWithOptions(awssession.Options{ SharedConfigState: awssession.SharedConfigEnable, - Config: aws.Config{ - EC2MetadataEnableFallback: aws.Bool(false), - UseFIPSEndpoint: useFIPSEndpoint, - }, }) if err != nil { return trace.Wrap(err)