Add SigV4 FIPS STS endpoint config

sigv4/sigv4.go

@@ -23,6 +23,8 @@ import (
 	"sync"
 	"time"
 
+	"github.com/aws/aws-sdk-go/aws/endpoints"
+
 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/aws/credentials"
 	"github.com/aws/aws-sdk-go/aws/credentials/stscreds"
@@ -59,10 +61,16 @@ func NewSigV4RoundTripper(cfg *SigV4Config, next http.RoundTripper) (http.RoundT
 		creds = nil
 	}
 
+	useFIPSSTSEndpoint := endpoints.FIPSEndpointStateDisabled
+	if cfg.UseFIPSSTSEndpoint {
+		useFIPSSTSEndpoint = endpoints.FIPSEndpointStateEnabled
+	}
+
 	sess, err := session.NewSessionWithOptions(session.Options{
 		Config: aws.Config{
-			Region:      aws.String(cfg.Region),
-			Credentials: creds,
+			Region:          aws.String(cfg.Region),
+			Credentials:     creds,
+			UseFIPSEndpoint: useFIPSSTSEndpoint,
 		},
 		Profile: cfg.Profile,
 	})

sigv4/sigv4_config.go

@@ -23,11 +23,12 @@ import (
 // AWS's SigV4 verification process. Empty values will be retrieved using the
 // AWS default credentials chain.
 type SigV4Config struct {
-	Region    string        `yaml:"region,omitempty"`
-	AccessKey string        `yaml:"access_key,omitempty"`
-	SecretKey config.Secret `yaml:"secret_key,omitempty"`
-	Profile   string        `yaml:"profile,omitempty"`
-	RoleARN   string        `yaml:"role_arn,omitempty"`
+	Region             string        `yaml:"region,omitempty"`
+	AccessKey          string        `yaml:"access_key,omitempty"`
+	SecretKey          config.Secret `yaml:"secret_key,omitempty"`
+	Profile            string        `yaml:"profile,omitempty"`
+	RoleARN            string        `yaml:"role_arn,omitempty"`
+	UseFIPSSTSEndpoint bool          `yaml:"use_fips_sts_endpoint,omitempty"`
 }
 
 func (c *SigV4Config) Validate() error {

sigv4/testdata/sigv4_good.yaml

@@ -3,3 +3,4 @@ access_key: AccessKey
 secret_key: SecretKey
 profile: profile
 role_arn: blah:role/arn
+use_fips_sts_endpoint: true