Skip to content

Apply the _DISABLE_AWS_FIPS setting to iam and stscreds#52065

Merged
codingllama merged 5 commits intomasterfrom
codingllama/aws-fips-2
Feb 12, 2025
Merged

Apply the _DISABLE_AWS_FIPS setting to iam and stscreds#52065
codingllama merged 5 commits intomasterfrom
codingllama/aws-fips-2

Conversation

@codingllama
Copy link
Copy Markdown
Contributor

@codingllama codingllama commented Feb 12, 2025

Apply the TELEPORT_UNSTABLE_DISABLE_AWS_FIPS=yes environment variable to iam and stscreds clients.

Follow up from #51932 (review).

@codingllama codingllama added the no-changelog Indicates that a PR does not require a changelog entry label Feb 12, 2025
@codingllama codingllama removed the request for review from probakowski February 12, 2025 15:09
@codingllama
Copy link
Copy Markdown
Contributor Author

codingllama commented Feb 12, 2025

I'm still holding the more forceful codingllama/aws-fips-3 in reserve, let's land these in a release and see if folks still have problems first.

codingllama
codingllama commented Feb 12, 2025
View reviewed changes
Comment thread lib/utils/aws/stsutils/stscreds_v1.go
if awsutils.IsFIPSDisabledByEnv() {
c = fipsDisabledProvider{provider: c}
}
return stscreds.NewCredentials(c, roleARN, options...)
Copy link
Copy Markdown
Contributor Author

@codingllama codingllama Feb 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sadly I could not find a way to test this one: the *credentials.Credentials completely hide the config behind (a chain of) private fields.

@codingllama codingllama force-pushed the codingllama/aws-fips-2 branch from 78ae548 to 935ad61 Compare February 12, 2025 19:53
@codingllama codingllama added this pull request to the merge queue Feb 12, 2025
Merged via the queue into master with commit d3025b2 Feb 12, 2025
@codingllama codingllama deleted the codingllama/aws-fips-2 branch February 12, 2025 20:32
@public-teleport-github-review-bot
Copy link
Copy Markdown

public-teleport-github-review-bot Bot commented Feb 12, 2025

@codingllama See the table below for backport results.

Branch Result
branch/v15 Failed
branch/v16 Failed
branch/v17 Failed

This was referenced Feb 13, 2025
Merged
Merged
Merged
Merged
carloscastrojumo pushed a commit to carloscastrojumo/teleport that referenced this pull request Feb 19, 2025
@codingllama @carloscastrojumo
Apply the _DISABLE_AWS_FIPS setting to iam and stscreds (gravitationa…
a7bc16c 
…l#52065)

* Add the iamutils package

* Add stsutils.NewCredentialsV1()

* Use iamutils.NewFromConfig()

* Use stsutils.NewCredentialsV1()

* Add forbidigo rules
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nklaassen nklaassen nklaassen approved these changes

@GavinFrazar GavinFrazar GavinFrazar approved these changes

Assignees

No one assigned

Labels

application-access backport/branch/v17 database-access Database access related issues and PRs discovery no-changelog Indicates that a PR does not require a changelog entry size/md

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@codingllama @nklaassen @GavinFrazar