CLI is using the wrong FIPS endpoint for resource groups tagging API

[markdboyd]

Describe the bug

When trying to use the aws resourcegroupstaggingapi service from the CLI with use_fips_endpoint = true in my AWS config, I'm getting this error:

Could not connect to the endpoint URL: "https://tagging-fips.us-gov-west-1.amazonaws.com/"

This error makes sense because indeed that endpoint does not exist. There is no specific FIPS endpoint for the tagging service, so the actual endpoint should be https://tagging.us-gov-west-1.amazonaws.com/.

Somehow the CLI is configured to use the wrong endpoint when running in FIPS mode.

Regression Issue

• Select this option if this issue appears to be a regression.

Expected Behavior

There should be no endpoint errors when trying to run aws resourcegroupstaggingapi commands

Current Behavior

Got this error when trying to run aws resourcegroupstaggingapi commands:

Could not connect to the endpoint URL: "https://tagging-fips.us-gov-west-1.amazonaws.com/"

Reproduction Steps

1. Configure the AWS CLI to use FIPS endpoints.
2. Run a command like aws resourcegroupstaggingapi get-resources

Possible Solution

No response

Additional Information/Context

No response

CLI version used

2.21.3

Environment details (OS name and version, etc.)

Mac OS Sonoma 14.7.1

[RyanFitzSimmonsAK]

Hi @markdboyd, thanks for reaching out. This behavior is documented (https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-endpoints.html).

If this setting is enabled, but a FIPS endpoint does not exist for the service in your AWS Region, the AWS command may fail. In this case, manually specify the endpoint to use in the command using the --endpoint-url option or use service-specific endpoints.

Additionally, the expected behavior you described of defaulting to a GovCloud endpoint if a FIPS endpoint doesn't exist isn't something we support. Please let me know if you have any follow-up questions.

[markdboyd]

@RyanFitzSimmonsAK Thanks for responding. I can see that this behavior is documented as you say.

Is there a reason that the CLI cannot or will not be updated to only use FIPS endpoints when they're available rather than failing when a FIPS endpoint does not exist?

[markdboyd]

Would it be better to report this issue on https://github.com/boto/botocore since I assume that is where the relevant code lives?

[markdboyd]

To be even more precise, could the issue be resolved by changing this configuration to use the non-FIPS endpoints?

https://github.com/boto/botocore/blob/develop/botocore/data/resourcegroupstaggingapi/2017-01-26/endpoint-rule-set-1.json#L176

[RyanFitzSimmonsAK]

Is there a reason that the CLI cannot or will not be updated to only use FIPS endpoints when they're available rather than failing when a FIPS endpoint does not exist?

This is definitely a breaking change, and also presents security and compliance concerns if users could end up using a non-FIPS endpoint when they want to be using one.

Given that this is documented and intentional, it's not really a bug. If you have a specific feature request that you think would make this behavior easier to use or more intuitive, I encourage you to open a feature request in this repository.

[github-actions]

Greetings! It looks like this issue hasn’t been active in longer than five days. We encourage you to check if this is still an issue in the latest release. In the absence of more information, we will be closing this issue soon. If you find that this is still a problem, please feel free to provide a comment or upvote with a reaction on the initial post to prevent automatic closure. If the issue is already closed, please feel free to open a new one.