Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Not able to use FIPS in AWS non-GovCloud #34804

Closed
tunguyen9889 opened this issue Nov 20, 2023 · 4 comments · Fixed by #34876
Closed

Not able to use FIPS in AWS non-GovCloud #34804

tunguyen9889 opened this issue Nov 20, 2023 · 4 comments · Fixed by #34876
Assignees
@reedloden
Labels
aws Used for AWS Related Issues. bug

Comments

@tunguyen9889
Copy link
Contributor

tunguyen9889 commented Nov 20, 2023
edited

Expected behavior:

  • Teleport should be able to run with FIPS in AWS non-GovCloud

Current behavior:

  • We're running some self-hosted Teleport clusters in AWS and has FIPS-enabled in some environments (us-west-2, ca-central-1). Below is our current architect of a Teleport cluster:

teleport-architect

{"caller":"dynamo/shards.go:60","component":"dynamodb","level":"error","message":"Poll streams returned with error: RequestError: send request failed\ncaused by: Post \"https://streams.dynamodb-fips.ca-central-1.amazonaws.com/\": dial tcp: lookup streams.dynamodb-fips.ca-central-1.amazonaws.com on 169.254.20.10:53: no such host.","timestamp":"2023-11-20T18:41:40Z"}

Screenshot 2023-11-20 at 10 59 07

  • We want the ability to fallback to non-FIPS endpoint for DynamoDB Stream. Previous version 1.14.3 is working fine and doesn't have any error message like above.

Bug details:

  • Teleport version: 14.1.5
  • Recreation steps: Run Teleport with FIPS-mode in AWS with S3 bucket and DynamoDB tables as backends.
  • Debug logs:
{"caller":"dynamo/shards.go:60","component":"dynamodb","level":"error","message":"Poll streams returned with error: RequestError: send request failed\ncaused by: Post \"https://streams.dynamodb-fips.ca-central-1.amazonaws.com/\": dial tcp: lookup streams.dynamodb-fips.ca-central-1.amazonaws.com on 169.254.20.10:53: no such host.","timestamp":"2023-11-20T18:41:40Z"}
@zmb3 zmb3 added the aws Used for AWS Related Issues. label Nov 21, 2023
@reedloden reedloden self-assigned this Nov 21, 2023
@reedloden reedloden mentioned this issue Nov 22, 2023
Merged
reedloden added a commit that referenced this issue Nov 29, 2023
@reedloden
Don't force the use of FIPS endpoints for DynamoDB Streams and Applic…
4a1017b 
…ation Auto Scaling

DynamoDB Streams and Application Auto Scaling do not currently have FIPS endpoints in
non-GovCloud, leading to invalid endpoints for FIPS users running in AWS Standard.

See also: https://aws.amazon.com/compliance/fips/#FIPS_Endpoints_by_Service

Regression from #34170.

Fixes #34804.

Additionally, clean-up a few more AWS session initiations to be consistent and clear.
github-merge-queue bot pushed a commit that referenced this issue Nov 29, 2023
@reedloden
Don't force the use of FIPS endpoints for DynamoDB Streams and Applic…
6cd68f0 
…ation Auto Scaling (#34876)

DynamoDB Streams and Application Auto Scaling do not currently have FIPS endpoints in
non-GovCloud, leading to invalid endpoints for FIPS users running in AWS Standard.

See also: https://aws.amazon.com/compliance/fips/#FIPS_Endpoints_by_Service

Regression from #34170.

Fixes #34804.

Additionally, clean-up a few more AWS session initiations to be consistent and clear.
github-actions bot pushed a commit that referenced this issue Nov 29, 2023
@reedloden
Don't force the use of FIPS endpoints for DynamoDB Streams and Applic…
1e7d338 
…ation Auto Scaling

DynamoDB Streams and Application Auto Scaling do not currently have FIPS endpoints in
non-GovCloud, leading to invalid endpoints for FIPS users running in AWS Standard.

See also: https://aws.amazon.com/compliance/fips/#FIPS_Endpoints_by_Service

Regression from #34170.

Fixes #34804.

Additionally, clean-up a few more AWS session initiations to be consistent and clear.
reedloden added a commit that referenced this issue Nov 29, 2023
@reedloden
[v13] Don't force the use of FIPS endpoints for DynamoDB Streams and …
d51ca72 
…Application Auto Scaling

Backport of #34876.

DynamoDB Streams and Application Auto Scaling do not currently have FIPS endpoints in
non-GovCloud, leading to invalid endpoints for FIPS users running in AWS Standard.

See also: https://aws.amazon.com/compliance/fips/#FIPS_Endpoints_by_Service

Regression from #34170.

Fixes #34804.

Additionally, clean-up a few more AWS session initiations to be consistent and clear.
reedloden added a commit that referenced this issue Nov 29, 2023
@reedloden
[v12] Don't force the use of FIPS endpoints for DynamoDB Streams and …
c79acb2 
…Application Auto Scaling

Backport of #34876.

DynamoDB Streams and Application Auto Scaling do not currently have FIPS endpoints in
non-GovCloud, leading to invalid endpoints for FIPS users running in AWS Standard.

See also: https://aws.amazon.com/compliance/fips/#FIPS_Endpoints_by_Service

Regression from #34170.

Fixes #34804.

Additionally, clean-up a few more AWS session initiations to be consistent and clear.
reedloden added a commit that referenced this issue Nov 29, 2023
@reedloden
[v12] Don't force the use of FIPS endpoints for DynamoDB Streams and …
6dd924a 
…Application Auto Scaling

Backport of #34876.

DynamoDB Streams and Application Auto Scaling do not currently have FIPS endpoints in
non-GovCloud, leading to invalid endpoints for FIPS users running in AWS Standard.

See also: https://aws.amazon.com/compliance/fips/#FIPS_Endpoints_by_Service

Regression from #34170.

Fixes #34804.

Additionally, clean-up a few more AWS session initiations to be consistent and clear.
reedloden added a commit that referenced this issue Nov 29, 2023
@reedloden
[v12] Don't force the use of FIPS endpoints for DynamoDB Streams and …
2cbfc08 
…Application Auto Scaling

Backport of #34876.

DynamoDB Streams and Application Auto Scaling do not currently have FIPS endpoints in
non-GovCloud, leading to invalid endpoints for FIPS users running in AWS Standard.

See also: https://aws.amazon.com/compliance/fips/#FIPS_Endpoints_by_Service

Regression from #34170.

Fixes #34804.

Additionally, clean-up a few more AWS session initiations to be consistent and clear.
reedloden added a commit that referenced this issue Nov 29, 2023
@reedloden
Revert "[v14] Disable AWS IMDSv1 fallback and enforce use of FIPS end…
690f1f7 
…points"

This reverts commit fb4e20a (#34433).

After discussion, keeping this change on `master` only, as it has
already caused one customer regression (#34804).
@reedloden reedloden mentioned this issue Nov 29, 2023
Merged
reedloden added a commit that referenced this issue Nov 29, 2023
@reedloden
Revert "[v14] Disable AWS IMDSv1 fallback and enforce use of FIPS end…
1e2dd11 
…points"

This reverts commit fb4e20a (#34433).

After discussion, keeping this change on `master` only, as it has
already caused one customer regression (#34804).
reedloden added a commit that referenced this issue Nov 29, 2023
@reedloden
Revert "[v14] Disable AWS IMDSv1 fallback and enforce use of FIPS end…
c5ae037 
…points"

This reverts commit fb4e20a (#34433).

After discussion, keeping this change on `master` only, as it has
already caused one customer regression (#34804).
reedloden added a commit that referenced this issue Nov 29, 2023
@reedloden
Revert "[v14] Disable AWS IMDSv1 fallback and enforce use of FIPS end…
02e2c45 
…points"

This reverts commit fb4e20a (#34433).

After discussion, keeping this change on `master` only, as it has
already caused one customer regression (#34804).
github-merge-queue bot pushed a commit that referenced this issue Nov 30, 2023
@reedloden
Revert "[v14] Disable AWS IMDSv1 fallback and enforce use of FIPS end…
f1b59ac 
…points" (#35169)

This reverts commit fb4e20a (#34433).

After discussion, keeping this change on `master` only, as it has
already caused one customer regression (#34804).
@tunguyen9889
Copy link
Contributor Author

Hi @reedloden, thanks for working on the PR! But I'm a bit confusing why it was reverted after merged? Does it mean this issue will not be fixed and Teleport will enforce DynamoDB stream using FIPS endpoint?

@reedloden
Copy link
Contributor

Hi @reedloden, thanks for working on the PR! But I'm a bit confusing why it was reverted after merged? Does it mean this issue will not be fixed and Teleport will enforce DynamoDB stream using FIPS endpoint?

No worries. Our release process can be a bit confusing. The original change and the follow-up fix are on master (what will become Teleport 15 in January 2024). Instead of fixing the issue you discovered on Teleport 14, we decided to revert the original change on that release branch just in case there are additional regressions. So, the next release of Teleport 14.x will still have this issue resolved.

Thanks again for reporting it!

@tunguyen9889
Copy link
Contributor Author

Awesome! Thanks a lot for your quick fix, @reedloden! I'm waiting for next release to test it on our clusters.

@tunguyen9889
Copy link
Contributor Author

Confirmed version 14.2.1 fixed the issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@reedloden reedloden

Labels
aws Used for AWS Related Issues. bug
Projects
None yet
Milestone
No milestone
3 participants
@reedloden @zmb3 @tunguyen9889