feat(aws): allow custom endpoints for aws services

README.md

@@ -79,6 +79,12 @@ Access to AWS secrets backends (SSM & secrets manager) can be granted in various
 
 4. Directly provide AWS access credentials to the `kubernetes-external-secrets` pod by environmental variables.
 
+5. Optionally configure custom endpoints using environment variables
+    * [AWS_SM_ENDPOINT](https://docs.aws.amazon.com/general/latest/gr/asm.html) - Useful to set endpoints for FIPS compliance.
+    * [AWS_STS_ENDPOINT](https://docs.aws.amazon.com/general/latest/gr/sts.html) - Useful to set endpoints for FIPS compliance or regional latency.
+    * [AWS_SSM_ENDPOINT](https://docs.aws.amazon.com/general/latest/gr/ssm.html) - Useful to set endpoints for FIPS compliance or custom VPC endpoint.
+
+
 ##### Using AWS access credentials
 
 Set AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY env vars in the `kubernetes-external-secrets` session/pod.

charts/kubernetes-external-secrets/values.yaml

@@ -25,6 +25,10 @@ env:
   # Set a role to be used when assuming roles specified in external secret (AWS only)
   # AWS_INTERMEDIATE_ROLE_ARN:
   # GOOGLE_APPLICATION_CREDENTIALS: /app/gcp-creds/gcp-creds.json
+  # Use custom endpoints for FIPS compliance
+  # AWS_STS_ENDPOINT: https://sts-fips.us-east-1.amazonaws.com
+  # AWS_SSM_ENDPOINT: http://ssm-fips.us-east-1.amazonaws.com
+  # AWS_SM_ENDPOINT: http://secretsmanager-fips.us-east-1.amazonaws.com
 
 # Create environment variables from existing k8s secrets
 # envVarsFromSecret:

config/aws-config.js

@@ -18,13 +18,29 @@ const localstack = process.env.LOCALSTACK || 0
 
 const intermediateRole = process.env.AWS_INTERMEDIATE_ROLE_ARN || 0
 
+const stsEndpoint = process.env.AWS_STS_ENDPOINT || 0
+const ssmEndpoint = process.env.AWS_SSM_ENDPOINT || 0
+const smEndpoint = process.env.AWS_SM_ENDPOINT || 0
+
 let secretsManagerConfig = {}
 let systemManagerConfig = {}
 let stsConfig = {
   region: process.env.AWS_REGION || 'us-west-2',
   stsRegionalEndpoints: process.env.AWS_STS_ENDPOINT_TYPE || 'regional'
 }
 
+if (smEndpoint) {
+  secretsManagerConfig.endpoint = smEndpoint
+}
+
+if (ssmEndpoint) {
+  systemManagerConfig.endpoint = ssmEndpoint
+}
+
+if (stsEndpoint) {
+  stsConfig.endpoint = stsEndpoint
+}
+
 if (localstack) {
   secretsManagerConfig = {
     endpoint: process.env.LOCALSTACK_SM_URL || 'http://localhost:4584',