[Bug]: Wrong URL for SSO in us-east-1 if use_fips is true

[tmccombs]

Terraform Core Version

1.5.0

AWS Provider Version

5.21.0

Affected Resource(s)

Problem with configuring the provider for authentication with SSO

Expected Behavior

Terraform should be able to refresh the token when using a profile that uses AWS SSO.

Actual Behavior

Error when refreshing the token which results in not being able to run the specified action.

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

provider "aws" {
  profile = var.terraform_profile # a profile that uses sso_start_url, sso_role_name, etc.
  region  = "us-east-1"
  use_fips_endpoint = true
}

Steps to Reproduce

Run a plan, apply, refresh etc. with config like above, using an AWS profile that uses AWS IAM Identity Center (previously SSO)

Debug Output

╷
│ Error: No valid credential sources found
│ 
│   with provider["registry.terraform.io/hashicorp/aws"].publiczones,
│   on config.tf line 141, in provider "aws":
│  141: provider "aws" {
│ 
│ Please see https://registry.terraform.io/providers/hashicorp/aws
│ for more information about providing credentials.
│ 
│ Error: failed to refresh cached credentials, operation error STS: AssumeRole, failed to sign request: failed to retrieve credentials: operation error STS: AssumeRole, failed to sign request: failed to retrieve
│ credentials: operation error SSO: GetRoleCredentials, https response error StatusCode: 0, RequestID: , request send failed, Get
│ "https://portal.sso-fips.us-east-1.amazonaws.com/federation/credentials?account_id=975326797713&role_name=SSO_terraform": dial tcp: lookup portal.sso-fips.us-east-1.amazonaws.com on 127.0.0.53:53: no such host
│ 
╵

Panic Output

No response

Important Factoids

If use_fips is false, then it works fine.

References

This is basically the same as #29350 but, while GovCloud regions have been fixed, it seems the issue is still there for the us-east-1 region (and possibly other regions?)

My guess is that it is likely also due to incorrect urls in the upstream aws sdk library.

Would you like to implement a fix?

None

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[tmccombs]

I should also point out that this wasn't broken in 4.53. So this is a regression.

[gdavison]

For implementor: The AWS FIPS documentation suggests that there is no override for the SSO endpoint with FIPS. However, the default resolver may not be returning the correct endpoint

Short-term fix:

• Allow overriding SSO endpoint in provider configuration (requires Accept SSO endpoint override aws-sdk-go-base#716)

Longer-term fix:

1. Fix upstream AWS SDK (SSO default endpoint resolver V2 returns incorrect endpoints aws/aws-sdk-go-v2#2336)
2. Add smoke test for endpoints and run during PR checks to prevent regression

[gdavison]

@tmccombs was this a regression, or is this your first time using SSO with FIPS in the AWS partition?

[tmccombs]

This is a regression. It was working with the use_fips_endpoint = true on version 4.53. It may not actually have been using FIPS for SSO, but didn't error.

When upgrading to 5.x I started getting errors.

[gdavison]

Related: aws/aws-sdk-go-v2#2686