Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add note for us-east-1 endpoint mode #2728

Closed
wants to merge 1 commit into from
Closed

Add note for us-east-1 endpoint mode #2728

wants to merge 1 commit into from

Conversation

logwolvy
Copy link

Documentation fix related to #2718

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

  1. To make sure we include your contribution in the release notes, please make sure to add description entry for your changes in the "unreleased changes" section of the CHANGELOG.md file (at corresponding gem). For the description entry, please make sure it lives in one line and starts with Feature or Issue in the correct format.

  2. For generated code changes, please checkout below instructions first:
    https://github.com/aws/aws-sdk-ruby/blob/version-3/CONTRIBUTING.md

Thank you for your contribution!

@mullermp
Copy link
Contributor

mullermp commented Jul 15, 2022
edited
Loading

Thanks for opening a pull request. I'm in favor of adding some notes around the linked issue but I don't think this is the correct place or change. The s3_us_east_1_regional_endpoint option already states this proposed behavior. The issue linked is in regards to FIPS endpoints with DNS incompatible buckets. s3_us_east_1_regional_endpoint seems to only matter when fips is used, regardless of DNS compatible bucket or not.

Behavior matrix for a DNS incompatible bucket (one with dots):

# no fips, us-east-1, regional endpoint
Aws::S3::Client.new(use_fips_endpoint: false, region: 'us-east-1', s3_us_east_1_regional_endpoint: 'regional').list_objects(bucket: 'mamuller.us-east-1')
# succeeds

# no fips, us-east-1, global endpoint
Aws::S3::Client.new(use_fips_endpoint: false, region: 'us-east-1', s3_us_east_1_regional_endpoint: 'legacy').list_objects(bucket: 'mamuller.us-east-1')
# succeeds

# fips, us-east-1, regional endpoint
Aws::S3::Client.new(use_fips_endpoint: true, region: 'us-east-1', s3_us_east_1_regional_endpoint: 'regional').list_objects(bucket: 'mamuller.us-east-1')
# cannot connect

# fips, us-east-1, global endpoint
Aws::S3::Client.new(use_fips_endpoint: true, region: 'us-east-1', s3_us_east_1_regional_endpoint: 'legacy').list_objects(bucket: 'mamuller.us-east-1')
# cannot connect

Behavior matrix for a DNS compatible bucket (one without dots):

# no fips, us-east-1, regional endpoint
Aws::S3::Client.new(use_fips_endpoint: false, region: 'us-east-1', s3_us_east_1_regional_endpoint: 'regional').list_objects(bucket: 'mamuller-us-east-1')
# success

# no fips, us-east-1, global endpoint
Aws::S3::Client.new(use_fips_endpoint: false, region: 'us-east-1', s3_us_east_1_regional_endpoint: 'legacy').list_objects(bucket: 'mamuller-us-east-1')
# success

# fips, us-east-1, regional endpoint
 Aws::S3::Client.new(use_fips_endpoint: true, region: 'us-east-1', s3_us_east_1_regional_endpoint: 'regional').list_objects(bucket: 'mamuller-us-east-1')
# success

# fips, us-east-1, global endpoint
Aws::S3::Client.new(use_fips_endpoint: true, region: 'us-east-1', s3_us_east_1_regional_endpoint: 'legacy').list_objects(bucket: 'mamuller-us-east-1')
# failure

@mullermp
Copy link
Contributor

I think we need 2 documentation changes here:

  1. In s3_us_east_1_regional_endpoint plugin, either update the documentation or behavior.

Documentation update:

          docstring: <<-DOCS) do |cfg|
Pass in `regional` to enable the `us-east-1` regional endpoint.
Defaults to `legacy` mode which uses the global endpoint. When
using a FIPS endpoint with `us-east-1`, this option must be set to
`regional`.
          DOCS

OR behavior update:

          # only modify non-custom non-fips endpoints
          if config.regional_endpoint && config.region == 'us-east-1' &&
             !config.use_fips_endpoint
            handlers.add(Handler)
          end

Alternatively, we can modify s3_us_east_1_regional_endpoint config to be 'regional' when use_fips_endpoint is true - this may be safe, needs investigation.

  1. Add S3 specific use_fips_endpoint documentation. I believe that config options in the Ruby SDK can be nested/overwritten. In the BucketDns plugin, we can re-define use_fips_endpoint:
        option(:use_fips_endpoint,
          doc_type: 'Boolean',
          docstring: <<-DOCS)
  When set to `true`, fips compatible endpoints will be used if available.
  When a `fips` region is used, the region is normalized and this config
  is set to `true`.

  FIPS endpoints cannot be used with DNS incompatible buckets.
          DOCS

@mullermp mullermp mentioned this pull request Sep 26, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@logwolvy @mullermp