The cloud providers in the attack range templates default to the commercial endpoints for AWS/GCP, and there is currently not an option to specify Azure Government/AWS GovCloud.
Diagnosis
- Azure authentication authority defaults to commercial Entra ID
In attack_range/cloud_providers/azure_provider.py, every client uses:
No sovereign authority is specified, so environment-based credentials default to the public-cloud authority rather than login.microsoftonline.us.
Microsoft’s Python guidance requires AzureAuthorityHosts.AZURE_GOVERNMENT for Azure Government.
- Azure management clients default to public ARM
The code constructs ResourceManagementClient and StorageManagementClient without either:
base_url="https://management.usgovcloudapi.net"
credential_scopes=["https://management.usgovcloudapi.net/.default"]
Therefore, they communicate with management.azure.com. Microsoft notes that sovereign-cloud clients need both the correct authority and the appropriate management endpoint/scope.
This produces errors such as:
- SubscriptionNotFound
- InvalidAuthenticationTokenAudience
- Authentication succeeding but the subscription not existing in the selected cloud
- Requests unexpectedly going to management.azure.com
- Blob Storage is explicitly hard-coded to commercial Azure
These two locations are unequivocal:
account_url=f"https://{account_name}.blob.core.windows.net"
They appear in both check_storage_container() and create_storage_container().
Azure Government Blob Storage uses:
<account>.blob.core.usgovcloudapi.net
Microsoft’s Azure Government Storage documentation confirms that endpoint and shows it paired with the Government authority.
This means there is no complete environment-variable-only workaround for the current source. Even after fixing authentication and ARM settings, backend-container creation still contacts public Blob Storage.
- The Terraform Azure provider defaults to public
Current terraform/azure/main.tf:
provider "azurerm" {
features {}
subscription_id = var.azure.subscription_id
}
It has no:
environment = "usgovernment"
The AzureRM provider supports usgovernment, but defaults to public when it is omitted.
- The Terraform state backend separately defaults to public
The generated backend "azurerm" block also lacks an environment:
backend "azurerm" {
resource_group_name = "..."
storage_account_name = "..."
container_name = "tfstate"
key = "terraform.tfstate"
}
Terraform’s AzureRM backend has its own environment setting and independently defaults to public. It also recognizes ARM_ENVIRONMENT=usgovernment.
The provider and backend must both target Azure Government; fixing only one is insufficient.
- The application UI cannot describe Azure Government
api/cloud_fields.py has:
- No Azure environment selector
- No Azure Government locations
- Only commercial locations such as East US, West Europe, and Central US
So the generated configuration cannot distinguish between:
azure:
environment: public
and:
azure:
environment: usgovernment
AWS GovCloud is different
The AWS runtime implementation is largely partition-compatible already:
boto3.client("s3", region_name=region)
boto3.client("ec2", region_name=region)
and:
provider "aws" {
region = var.aws.region
}
Boto3 recognizes aws-us-gov as a distinct partition, and AWS identifies us-gov-east-1 and us-gov-west-1 as the GovCloud region names.
The main AWS problem is that the UI’s fixed region list excludes both GovCloud regions. Unlike Azure, there did not seem to be any commercial API endpoints hard-coded in the AWS backend/provider implementation.
The cloud providers in the attack range templates default to the commercial endpoints for AWS/GCP, and there is currently not an option to specify Azure Government/AWS GovCloud.
Diagnosis
In attack_range/cloud_providers/azure_provider.py, every client uses:
DefaultAzureCredential()No sovereign authority is specified, so environment-based credentials default to the public-cloud authority rather than login.microsoftonline.us.
Microsoft’s Python guidance requires AzureAuthorityHosts.AZURE_GOVERNMENT for Azure Government.
The code constructs ResourceManagementClient and StorageManagementClient without either:
Therefore, they communicate with management.azure.com. Microsoft notes that sovereign-cloud clients need both the correct authority and the appropriate management endpoint/scope.
This produces errors such as:
These two locations are unequivocal:
They appear in both check_storage_container() and create_storage_container().
Azure Government Blob Storage uses:
Microsoft’s Azure Government Storage documentation confirms that endpoint and shows it paired with the Government authority.
This means there is no complete environment-variable-only workaround for the current source. Even after fixing authentication and ARM settings, backend-container creation still contacts public Blob Storage.
Current terraform/azure/main.tf:
It has no:
The AzureRM provider supports usgovernment, but defaults to public when it is omitted.
The generated backend "azurerm" block also lacks an environment:
Terraform’s AzureRM backend has its own environment setting and independently defaults to public. It also recognizes ARM_ENVIRONMENT=usgovernment.
The provider and backend must both target Azure Government; fixing only one is insufficient.
api/cloud_fields.py has:
So the generated configuration cannot distinguish between:
and:
AWS GovCloud is different
The AWS runtime implementation is largely partition-compatible already:
and:
Boto3 recognizes aws-us-gov as a distinct partition, and AWS identifies us-gov-east-1 and us-gov-west-1 as the GovCloud region names.
The main AWS problem is that the UI’s fixed region list excludes both GovCloud regions. Unlike Azure, there did not seem to be any commercial API endpoints hard-coded in the AWS backend/provider implementation.