feat: support FIPS endpoints for AWS KMS #245
Conversation
|
Thank you for the PR, I wasn't aware of the AWS FIPS mode. It would be nice to make the FIPS mode usable even without setting an environment variable. The AmazonSigningService constructor could be modified to accept either a region or a full endpoint URL, or maybe a boolean to enable the FIPS mode. |
|
I wanted to simulate the default AWS behaviour, as I don't want to have an additional configuration for |
| @@ -259,7 +274,7 @@ void sign(HttpURLConnection conn, AmazonCredentials credentials, byte[] content, | |||
| String host = endpoint.getHost(); | |||
| Matcher matcher = hostnamePattern.matcher(host); | |||
| String regionName = matcher.matches() ? matcher.group(2) : "us-east-1"; | |||
| String serviceName = matcher.matches() ? matcher.group(1) : "kms"; | |||
| String serviceName = "kms"; | |||
There was a problem hiding this comment.
I'd rather strip the -fips suffix here, so this method remains generic for any AWS service
There was a problem hiding this comment.
But that class is only intended to access KMS or are there other services involved that I miss?
| * @param region the AWS region | ||
| * @return the endpoint URL | ||
| */ | ||
| public static String getEndpointUrl(String region) { |
There was a problem hiding this comment.
Is it possible to make this method non static and package private?
There was a problem hiding this comment.
I assumed, if I want to test this individually, it needs to be public. Don't know that much about Java ;) Can give it a try later …
There was a problem hiding this comment.
It remains testable from a test class in the same package if the public keyword is removed, that's the "package private" visibility.
|
The PR has been merged with a few minor changes, please let me know if I broke anything. Thank you for the help! |
AWS services offer FIPS endpoints for some services and regions. For AWS KMS, all regions support FIPS endpoints. When using the CLI, you can normally use
--endpoint-url https://kms-fips.us-east-1.amazonaws.comand when using any AWS SDK, you can configure the endpoint "mode" by settingAWS_USE_FIPS_ENDPOINTin the environment totrue.This change tries to add comperable support for this.
default / current :
kms.us-east-1.amazonaws.comfips endpoint:
kms-fips.us-east-1.amazonaws.comDetails:
https://docs.aws.amazon.com/sdkref/latest/guide/feature-endpoints.html
KMS Service Endpoints:
https://docs.aws.amazon.com/general/latest/gr/kms.html#kms_region