diff --git a/examples/teleport-usage/go.mod b/examples/teleport-usage/go.mod index 3846417249ba8..902694b1abc19 100644 --- a/examples/teleport-usage/go.mod +++ b/examples/teleport-usage/go.mod @@ -3,7 +3,7 @@ module usage-script go 1.19 require ( - github.com/aws/aws-sdk-go v1.44.224 + github.com/aws/aws-sdk-go v1.47.4 github.com/stretchr/testify v1.8.2 ) diff --git a/examples/teleport-usage/go.sum b/examples/teleport-usage/go.sum index 86627f4f1eacb..588ee23bdad94 100644 --- a/examples/teleport-usage/go.sum +++ b/examples/teleport-usage/go.sum @@ -1,5 +1,5 @@ -github.com/aws/aws-sdk-go v1.44.224 h1:09CiaaF35nRmxrzWZ2uRq5v6Ghg/d2RiPjZnSgtt+RQ= -github.com/aws/aws-sdk-go v1.44.224/go.mod h1:aVsgQcEevwlmQ7qHE9I3h+dtQgpqhFB+i8Phjh7fkwI= +github.com/aws/aws-sdk-go v1.47.4 h1:IyhNbmPt+5ldi5HNzv7ZnXiqSglDMaJiZlzj4Yq3qnk= +github.com/aws/aws-sdk-go v1.47.4/go.mod h1:LF8svs817+Nz+DmiMQKTO3ubZ/6IaTpq3TjupRn3Eqk= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= @@ -7,7 +7,6 @@ github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9Y github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo= github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGwWFoC7ycTf1rcQZHOlsJ6N8= github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U= -github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= @@ -17,33 +16,6 @@ github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/ github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= github.com/stretchr/testify v1.8.2 h1:+h33VjcLVPDHtOdpUCuF+7gSuG3yGIftsP1YvFihtJ8= github.com/stretchr/testify v1.8.2/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= -github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= -golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= -golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= -golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= -golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= -golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= -golang.org/x/net v0.1.0/go.mod h1:Cx3nUiGt4eDBEyega/BKRp+/AlGL8hYe7U9odMt2Cco= -golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= -golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= -golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= -golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= -golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= -golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= -golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= -golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= -golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= -golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= -golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/yaml.v2 v2.2.8 h1:obN1ZagJSUGI0Ek/LBmuj4SNLPfIny3KsKFopxRdj10= diff --git a/examples/teleport-usage/main.go b/examples/teleport-usage/main.go index 5e663a60b17e3..79d194d41f673 100644 --- a/examples/teleport-usage/main.go +++ b/examples/teleport-usage/main.go @@ -17,18 +17,21 @@ limitations under the License. package main import ( + "crypto/sha256" "errors" "fmt" "log" "math" "math/rand" "os" + "reflect" "strconv" "strings" "time" "github.com/aws/aws-sdk-go/aws" "github.com/aws/aws-sdk-go/aws/awserr" + "github.com/aws/aws-sdk-go/aws/endpoints" awsrequest "github.com/aws/aws-sdk-go/aws/request" awssession "github.com/aws/aws-sdk-go/aws/session" "github.com/aws/aws-sdk-go/service/dynamodb" @@ -61,6 +64,15 @@ func main() { // If this is too high and we encounter throttling that could impede Teleport, it will be adjusted automatically. limiter := newAdaptiveRateLimiter(25) + // Check the package name for one of the boring primitives. If the package + // path is from BoringCrypto, we know this binary was compiled using + // `GOEXPERIMENT=boringcrypto`. + hash := sha256.New() + useFIPSEndpoint := endpoints.FIPSEndpointStateUnset + if reflect.TypeOf(hash).Elem().PkgPath() == "crypto/internal/boring" { + useFIPSEndpoint = endpoints.FIPSEndpointStateEnabled + } + // create an AWS session using default SDK behavior, i.e. it will interpret // the environment and ~/.aws directory just like an AWS CLI tool would: session, err := awssession.NewSessionWithOptions(awssession.Options{ @@ -69,6 +81,8 @@ func main() { Retryer: limiter, Region: aws.String(params.awsRegion), CredentialsChainVerboseErrors: aws.Bool(true), + EC2MetadataEnableFallback: aws.Bool(false), + UseFIPSEndpoint: useFIPSEndpoint, }, }) if err != nil { diff --git a/go.mod b/go.mod index 23e941d305383..554ec1d7743a5 100644 --- a/go.mod +++ b/go.mod @@ -25,7 +25,7 @@ require ( github.com/alicebob/miniredis/v2 v2.30.0 github.com/aquasecurity/libbpfgo v0.5.1-libbpf-1.2 github.com/armon/go-radix v1.0.0 - github.com/aws/aws-sdk-go v1.44.180 + github.com/aws/aws-sdk-go v1.44.244 github.com/aws/aws-sdk-go-v2 v1.17.8 github.com/aws/aws-sdk-go-v2/config v1.18.8 github.com/aws/aws-sdk-go-v2/credentials v1.13.8 diff --git a/go.sum b/go.sum index 031b0fafe1515..ef6e3c42400cb 100644 --- a/go.sum +++ b/go.sum @@ -169,8 +169,8 @@ github.com/aws/aws-sdk-go v1.17.4/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN github.com/aws/aws-sdk-go v1.23.20/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo= github.com/aws/aws-sdk-go v1.25.37/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo= github.com/aws/aws-sdk-go v1.27.0/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo= -github.com/aws/aws-sdk-go v1.44.180 h1:VLZuAHI9fa/3WME5JjpVjcPCNfpGHVMiHx8sLHWhMgI= -github.com/aws/aws-sdk-go v1.44.180/go.mod h1:aVsgQcEevwlmQ7qHE9I3h+dtQgpqhFB+i8Phjh7fkwI= +github.com/aws/aws-sdk-go v1.44.244 h1:QzBWLD5HjZHdRZyTMTOWtD9Pobzf1n8/CeTJB4giXi0= +github.com/aws/aws-sdk-go v1.44.244/go.mod h1:aVsgQcEevwlmQ7qHE9I3h+dtQgpqhFB+i8Phjh7fkwI= github.com/aws/aws-sdk-go-v2 v0.18.0/go.mod h1:JWVYvqSMppoMJC0x5wdwiImzgXTI9FuZwxzkQq9wy+g= github.com/aws/aws-sdk-go-v2 v1.17.3/go.mod h1:uzbQtefpm44goOPmdKyAlXSNcwlRgF3ePWVW6EtJvvw= github.com/aws/aws-sdk-go-v2 v1.17.8 h1:GMupCNNI7FARX27L7GjCJM8NgivWbRgpjNI/hOQjFS8= diff --git a/integration/ec2_test.go b/integration/ec2_test.go index c96c1ca1dfc80..d76bf8f9dd822 100644 --- a/integration/ec2_test.go +++ b/integration/ec2_test.go @@ -26,6 +26,7 @@ import ( "github.com/aws/aws-sdk-go-v2/config" "github.com/aws/aws-sdk-go-v2/feature/ec2/imds" + "github.com/aws/aws-sdk-go/aws" "github.com/aws/aws-sdk-go/aws/session" "github.com/aws/aws-sdk-go/service/sts" "github.com/gravitational/trace" @@ -138,6 +139,9 @@ func getIID(t *testing.T) imds.InstanceIdentityDocument { func getCallerIdentity(t *testing.T) *sts.GetCallerIdentityOutput { sess, err := session.NewSessionWithOptions(session.Options{ SharedConfigState: session.SharedConfigEnable, + Config: aws.Config{ + EC2MetadataEnableFallback: aws.Bool(false), + }, }) require.NoError(t, err) stsService := sts.New(sess) diff --git a/lib/auth/join_iam.go b/lib/auth/join_iam.go index f5ad9fe7526ff..5c743a91fc85a 100644 --- a/lib/auth/join_iam.go +++ b/lib/auth/join_iam.go @@ -474,8 +474,9 @@ func createSignedSTSIdentityRequest(ctx context.Context, challenge string, opts func newSTSClient(ctx context.Context, cfg *stsIdentityRequestConfig) (*sts.STS, error) { awsConfig := awssdk.Config{ - UseFIPSEndpoint: cfg.fipsEndpointOption, - STSRegionalEndpoint: cfg.regionalEndpointOption, + EC2MetadataEnableFallback: awssdk.Bool(false), + UseFIPSEndpoint: cfg.fipsEndpointOption, + STSRegionalEndpoint: cfg.regionalEndpointOption, } sess, err := session.NewSessionWithOptions(session.Options{ SharedConfigState: session.SharedConfigEnable, @@ -506,11 +507,11 @@ func newSTSClient(ctx context.Context, cfg *stsIdentityRequestConfig) (*sts.STS, if cfg.fipsEndpointOption == endpoints.FIPSEndpointStateEnabled && !slices.Contains(validSTSEndpoints, strings.TrimPrefix(stsClient.Endpoint, "https://")) { // The AWS SDK will generate invalid endpoints when attempting to - // resolve the FIPS endpoint for a region which does not have one. + // resolve the FIPS endpoint for a region that does not have one. // In this case, try to use the FIPS endpoint in us-east-1. This should - // work for all regions in the standard partition. In GovCloud we should + // work for all regions in the standard partition. In GovCloud, we should // not hit this because all regional endpoints support FIPS. In China or - // other partitions this will fail and FIPS mode will not be supported. + // other partitions, this will fail, and FIPS mode will not be supported. log.Infof("AWS SDK resolved FIPS STS endpoint %s, which does not appear to be valid. "+ "Attempting to use the FIPS STS endpoint for us-east-1.", stsClient.Endpoint) diff --git a/lib/backend/dynamo/dynamodbbk.go b/lib/backend/dynamo/dynamodbbk.go index 7150a6bbe91a7..3b48bf4d98cb1 100644 --- a/lib/backend/dynamo/dynamodbbk.go +++ b/lib/backend/dynamo/dynamodbbk.go @@ -29,6 +29,7 @@ import ( "github.com/aws/aws-sdk-go/aws" "github.com/aws/aws-sdk-go/aws/awserr" "github.com/aws/aws-sdk-go/aws/credentials" + "github.com/aws/aws-sdk-go/aws/endpoints" "github.com/aws/aws-sdk-go/aws/session" "github.com/aws/aws-sdk-go/service/applicationautoscaling" "github.com/aws/aws-sdk-go/service/dynamodb" @@ -43,6 +44,7 @@ import ( "github.com/gravitational/teleport/api/utils" "github.com/gravitational/teleport/lib/backend" "github.com/gravitational/teleport/lib/defaults" + "github.com/gravitational/teleport/lib/modules" dynamometrics "github.com/gravitational/teleport/lib/observability/metrics/dynamo" ) @@ -219,23 +221,30 @@ func New(ctx context.Context, params backend.Params) (*Backend, error) { clock: clockwork.NewRealClock(), buf: buf, } - // create an AWS session using default SDK behavior, i.e. it will interpret - // the environment and ~/.aws directory just like an AWS CLI tool would: + + // determine if the FIPS endpoints should be used + useFIPSEndpoint := endpoints.FIPSEndpointStateUnset + if modules.GetModules().IsBoringBinary() { + useFIPSEndpoint = endpoints.FIPSEndpointStateEnabled + } + + awsConfig := aws.Config{ + EC2MetadataEnableFallback: aws.Bool(false), + } + if cfg.Region != "" { + awsConfig.Region = aws.String(cfg.Region) + } + if cfg.AccessKey != "" || cfg.SecretKey != "" { + awsConfig.Credentials = credentials.NewStaticCredentials(cfg.AccessKey, cfg.SecretKey, "") + } + b.session, err = session.NewSessionWithOptions(session.Options{ SharedConfigState: session.SharedConfigEnable, + Config: awsConfig, }) if err != nil { return nil, trace.Wrap(err) } - // override the default environment (region + credentials) with the values - // from the YAML file: - if cfg.Region != "" { - b.session.Config.Region = aws.String(cfg.Region) - } - if cfg.AccessKey != "" || cfg.SecretKey != "" { - creds := credentials.NewStaticCredentials(cfg.AccessKey, cfg.SecretKey, "") - b.session.Config.Credentials = creds - } // Increase the size of the connection pool. This substantially improves the // performance of Teleport under load as it reduces the number of TLS @@ -250,7 +259,14 @@ func New(ctx context.Context, params backend.Params) (*Backend, error) { b.session.Config.HTTPClient = httpClient // create DynamoDB service: - svc, err := dynamometrics.NewAPIMetrics(dynamometrics.Backend, dynamodb.New(b.session)) + svc, err := dynamometrics.NewAPIMetrics(dynamometrics.Backend, dynamodb.New(b.session, &aws.Config{ + // Setting this on the individual service instead of the session, as DynamoDB Streams + // and Application Auto Scaling do not yet have FIPS endpoints in non-GovCloud. + // See also: https://aws.amazon.com/compliance/fips/#FIPS_Endpoints_by_Service + // TODO(reed): This can be simplified once https://github.com/aws/aws-sdk-go/pull/5078 + // is available (or whenever AWS adds the missing FIPS endpoints). + UseFIPSEndpoint: useFIPSEndpoint, + })) if err != nil { return nil, trace.Wrap(err) } diff --git a/lib/cloud/clients.go b/lib/cloud/clients.go index c576b3412baf3..9511daf3d4de1 100644 --- a/lib/cloud/clients.go +++ b/lib/cloud/clients.go @@ -32,6 +32,7 @@ import ( "github.com/aws/aws-sdk-go/aws" "github.com/aws/aws-sdk-go/aws/credentials" "github.com/aws/aws-sdk-go/aws/credentials/stscreds" + "github.com/aws/aws-sdk-go/aws/endpoints" "github.com/aws/aws-sdk-go/aws/session" awssession "github.com/aws/aws-sdk-go/aws/session" "github.com/aws/aws-sdk-go/service/ec2" @@ -65,6 +66,7 @@ import ( libcloudaws "github.com/gravitational/teleport/lib/cloud/aws" "github.com/gravitational/teleport/lib/cloud/azure" "github.com/gravitational/teleport/lib/cloud/gcp" + "github.com/gravitational/teleport/lib/modules" ) // Clients provides interface for obtaining cloud provider clients. @@ -534,10 +536,16 @@ func (c *cloudClients) initAWSSession(region string) (*awssession.Session, error return session, nil } logrus.Debugf("Initializing AWS session for region %v.", region) + useFIPSEndpoint := endpoints.FIPSEndpointStateUnset + if modules.GetModules().IsBoringBinary() { + useFIPSEndpoint = endpoints.FIPSEndpointStateEnabled + } session, err := awssession.NewSessionWithOptions(awssession.Options{ SharedConfigState: awssession.SharedConfigEnable, Config: aws.Config{ - Region: aws.String(region), + Region: aws.String(region), + EC2MetadataEnableFallback: aws.Bool(false), + UseFIPSEndpoint: useFIPSEndpoint, }, }) if err != nil { @@ -763,12 +771,19 @@ type TestCloudClients struct { // GetAWSSession returns AWS session for the specified region. func (c *TestCloudClients) GetAWSSession(region string) (*awssession.Session, error) { + useFIPSEndpoint := endpoints.FIPSEndpointStateUnset + if modules.GetModules().IsBoringBinary() { + useFIPSEndpoint = endpoints.FIPSEndpointStateEnabled + } + return session.NewSession(&aws.Config{ Credentials: credentials.NewCredentials(&credentials.StaticProvider{Value: credentials.Value{ AccessKeyID: "fakeClientKeyID", SecretAccessKey: "fakeClientSecret", }}), - Region: aws.String(region), + Region: aws.String(region), + EC2MetadataEnableFallback: aws.Bool(false), + UseFIPSEndpoint: useFIPSEndpoint, }) } diff --git a/lib/configurators/aws/aws.go b/lib/configurators/aws/aws.go index a0071a17ea6de..e52b1b065e708 100644 --- a/lib/configurators/aws/aws.go +++ b/lib/configurators/aws/aws.go @@ -23,6 +23,7 @@ import ( "github.com/aws/aws-sdk-go/aws" "github.com/aws/aws-sdk-go/aws/arn" "github.com/aws/aws-sdk-go/aws/awserr" + "github.com/aws/aws-sdk-go/aws/endpoints" awssession "github.com/aws/aws-sdk-go/aws/session" "github.com/aws/aws-sdk-go/service/iam" "github.com/aws/aws-sdk-go/service/iam/iamiface" @@ -40,6 +41,7 @@ import ( "github.com/gravitational/teleport/lib/config" "github.com/gravitational/teleport/lib/configurators" "github.com/gravitational/teleport/lib/defaults" + "github.com/gravitational/teleport/lib/modules" "github.com/gravitational/teleport/lib/services" "github.com/gravitational/teleport/lib/srv/db/secrets" "github.com/gravitational/teleport/lib/utils" @@ -241,6 +243,11 @@ func (c *ConfiguratorConfig) CheckAndSetDefaults() error { return trace.BadParameter("config file is required") } + useFIPSEndpoint := endpoints.FIPSEndpointStateUnset + if modules.GetModules().IsBoringBinary() { + useFIPSEndpoint = endpoints.FIPSEndpointStateEnabled + } + // When running the command in manual mode, we want to have zero dependency // with AWS configurations (like awscli or environment variables), so that // the user can run this command and generate the instructions without any @@ -251,6 +258,10 @@ func (c *ConfiguratorConfig) CheckAndSetDefaults() error { if c.AWSSession == nil { c.AWSSession, err = awssession.NewSessionWithOptions(awssession.Options{ SharedConfigState: awssession.SharedConfigEnable, + Config: aws.Config{ + EC2MetadataEnableFallback: aws.Bool(false), + UseFIPSEndpoint: useFIPSEndpoint, + }, }) if err != nil { return trace.Wrap(err) diff --git a/lib/events/dynamoevents/dynamoevents.go b/lib/events/dynamoevents/dynamoevents.go index a920782531927..894d41e679cdc 100644 --- a/lib/events/dynamoevents/dynamoevents.go +++ b/lib/events/dynamoevents/dynamoevents.go @@ -261,31 +261,39 @@ func New(ctx context.Context, cfg Config) (*Log, error) { Entry: l, Config: cfg, } - // create an AWS session using default SDK behavior, i.e. it will interpret - // the environment and ~/.aws directory just like an AWS CLI tool would: - b.session, err = awssession.NewSessionWithOptions(awssession.Options{ - SharedConfigState: awssession.SharedConfigEnable, - }) - if err != nil { - return nil, trace.Wrap(err) + + awsConfig := aws.Config{ + EC2MetadataEnableFallback: aws.Bool(false), } - // override the default environment (region + credentials) with the values - // from the YAML file: + + // Override the default environment's region if value set in YAML file: if cfg.Region != "" { - b.session.Config.Region = aws.String(cfg.Region) + awsConfig.Region = aws.String(cfg.Region) } // Override the service endpoint using the "endpoint" query parameter from // "audit_events_uri". This is for non-AWS DynamoDB-compatible backends. if cfg.Endpoint != "" { - b.session.Config.Endpoint = aws.String(cfg.Endpoint) + awsConfig.Endpoint = aws.String(cfg.Endpoint) } - // Explicitly enable or disable FIPS endpoints for DynamoDB - b.session.Config.UseFIPSEndpoint = events.FIPSProtoStateToAWSState(cfg.UseFIPSEndpoint) + b.session, err = awssession.NewSessionWithOptions(awssession.Options{ + SharedConfigState: awssession.SharedConfigEnable, + Config: awsConfig, + }) + if err != nil { + return nil, trace.Wrap(err) + } // create DynamoDB service: - svc, err := dynamometrics.NewAPIMetrics(dynamometrics.Events, dynamodb.New(b.session)) + svc, err := dynamometrics.NewAPIMetrics(dynamometrics.Events, dynamodb.New(b.session, &aws.Config{ + // Setting this on the individual service instead of the session, as DynamoDB Streams + // and Application Auto Scaling do not yet have FIPS endpoints in non-GovCloud. + // See also: https://aws.amazon.com/compliance/fips/#FIPS_Endpoints_by_Service + // TODO(reed): This can be simplified once https://github.com/aws/aws-sdk-go/pull/5078 + // is available (or whenever AWS adds the missing FIPS endpoints). + UseFIPSEndpoint: events.FIPSProtoStateToAWSState(cfg.UseFIPSEndpoint), + })) if err != nil { return nil, trace.Wrap(err) } diff --git a/lib/events/s3sessions/s3handler.go b/lib/events/s3sessions/s3handler.go index 6065d2a122acc..9e04a8b4c5f27 100644 --- a/lib/events/s3sessions/s3handler.go +++ b/lib/events/s3sessions/s3handler.go @@ -155,31 +155,31 @@ func (s *Config) CheckAndSetDefaults() error { return trace.BadParameter("missing parameter Bucket") } if s.Session == nil { - // create an AWS session using default SDK behavior, i.e. it will interpret - // the environment and ~/.aws directory just like an AWS CLI tool would: - sess, err := awssession.NewSessionWithOptions(awssession.Options{ - SharedConfigState: awssession.SharedConfigEnable, - }) - if err != nil { - return trace.Wrap(err) + awsConfig := aws.Config{ + EC2MetadataEnableFallback: aws.Bool(false), + UseFIPSEndpoint: events.FIPSProtoStateToAWSState(s.UseFIPSEndpoint), } - // override the default environment (region + Host + credentials) with the values - // from the YAML file: if s.Region != "" { - sess.Config.Region = aws.String(s.Region) + awsConfig.Region = aws.String(s.Region) } if s.Endpoint != "" { - sess.Config.Endpoint = aws.String(s.Endpoint) - sess.Config.S3ForcePathStyle = aws.Bool(true) + awsConfig.Endpoint = aws.String(s.Endpoint) + awsConfig.S3ForcePathStyle = aws.Bool(true) } if s.Insecure { - sess.Config.DisableSSL = aws.Bool(s.Insecure) + awsConfig.DisableSSL = aws.Bool(s.Insecure) } if s.Credentials != nil { - sess.Config.Credentials = s.Credentials + awsConfig.Credentials = s.Credentials } - sess.Config.UseFIPSEndpoint = events.FIPSProtoStateToAWSState(s.UseFIPSEndpoint) + sess, err := awssession.NewSessionWithOptions(awssession.Options{ + SharedConfigState: awssession.SharedConfigEnable, + Config: awsConfig, + }) + if err != nil { + return trace.Wrap(err) + } s.Session = sess } diff --git a/lib/srv/app/cloud.go b/lib/srv/app/cloud.go index 210cc40b96d38..76c97cd6528e1 100644 --- a/lib/srv/app/cloud.go +++ b/lib/srv/app/cloud.go @@ -29,12 +29,14 @@ import ( "github.com/aws/aws-sdk-go/aws/credentials/ec2rolecreds" "github.com/aws/aws-sdk-go/aws/credentials/ssocreds" "github.com/aws/aws-sdk-go/aws/credentials/stscreds" + "github.com/aws/aws-sdk-go/aws/endpoints" awssession "github.com/aws/aws-sdk-go/aws/session" "github.com/gravitational/trace" "github.com/jonboulle/clockwork" "github.com/sirupsen/logrus" "github.com/gravitational/teleport/api/constants" + "github.com/gravitational/teleport/lib/modules" "github.com/gravitational/teleport/lib/tlsca" awsutils "github.com/gravitational/teleport/lib/utils/aws" ) @@ -93,8 +95,16 @@ type CloudConfig struct { // CheckAndSetDefaults validates the config. func (c *CloudConfig) CheckAndSetDefaults() error { if c.Session == nil { + useFIPSEndpoint := endpoints.FIPSEndpointStateUnset + if modules.GetModules().IsBoringBinary() { + useFIPSEndpoint = endpoints.FIPSEndpointStateEnabled + } session, err := awssession.NewSessionWithOptions(awssession.Options{ SharedConfigState: awssession.SharedConfigEnable, + Config: aws.Config{ + EC2MetadataEnableFallback: aws.Bool(false), + UseFIPSEndpoint: useFIPSEndpoint, + }, }) if err != nil { return trace.Wrap(err) diff --git a/lib/utils/aws/signing.go b/lib/utils/aws/signing.go index 858bd26763bf0..e45f55153407a 100644 --- a/lib/utils/aws/signing.go +++ b/lib/utils/aws/signing.go @@ -23,10 +23,13 @@ import ( "net/http" "time" + "github.com/aws/aws-sdk-go/aws" + "github.com/aws/aws-sdk-go/aws/endpoints" awssession "github.com/aws/aws-sdk-go/aws/session" "github.com/gravitational/trace" "github.com/jonboulle/clockwork" + "github.com/gravitational/teleport/lib/modules" "github.com/gravitational/teleport/lib/utils" ) @@ -63,8 +66,16 @@ func (s *SigningServiceConfig) CheckAndSetDefaults() error { s.Clock = clockwork.NewRealClock() } if s.Session == nil { + useFIPSEndpoint := endpoints.FIPSEndpointStateUnset + if modules.GetModules().IsBoringBinary() { + useFIPSEndpoint = endpoints.FIPSEndpointStateEnabled + } ses, err := awssession.NewSessionWithOptions(awssession.Options{ SharedConfigState: awssession.SharedConfigEnable, + Config: aws.Config{ + EC2MetadataEnableFallback: aws.Bool(false), + UseFIPSEndpoint: useFIPSEndpoint, + }, }) if err != nil { return trace.Wrap(err)