Skip to content

ecr: fix FIPS endpoint conflict with SDK v2#4850

Merged
singholt merged 1 commit into
aws:devfrom
KCSesh:fix-ecr-fips-endpoint-conflict
Jan 23, 2026
Merged

ecr: fix FIPS endpoint conflict with SDK v2#4850
singholt merged 1 commit into
aws:devfrom
KCSesh:fix-ecr-fips-endpoint-conflict

Conversation

@KCSesh
Copy link
Copy Markdown
Contributor

@KCSesh KCSesh commented Jan 22, 2026
edited
Loading

Related: #4550

Summary

Fix ECR authentication failure when AWS_USE_FIPS_ENDPOINT=true and the ECS control plane sends a FIPS endpoint override.

Implementation details

SDK v2 rejects combining UseFIPSEndpoint with a custom endpoint override, returning "FIPS and custom endpoint are not supported". This breaks ECR auth when AWS_USE_FIPS_ENDPOINT=true and the ECS control plane sends a FIPS endpoint override (e.g., ecr-fips.us-west-2.amazonaws.com).

The fix disables SDK FIPS resolution when the endpoint override is already FIPS-compliant (detected via //ecr-fips. in the URL). The endpoint is already FIPS-compliant, so this preserves FIPS compliance while avoiding the SDK validation error.

Testing

  • Standalone Go program reproducing the SDK v2 behavior confirms the bug + fix
  • Tested with Bottlerocket FIPS variant test suite
  • Verified ECR image pulls succeed in us-west-2 and us-gov-west-1 with AWS_USE_FIPS_ENDPOINT=true
  • Verified endpoint override is correctly detected via debug logs

New tests cover the changes: yes

Description for the changelog

  • Bug - Fixed ECR authentication failure when AWS_USE_FIPS_ENDPOINT=true and ECS control plane sends a FIPS endpoint override

Additional Information

Does this PR include breaking model changes? If so, Have you added transformation functions?
No

Does this PR include the addition of new environment variables in the README?
No

Licensing

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@KCSesh KCSesh marked this pull request as ready for review January 22, 2026 02:49
@KCSesh KCSesh requested a review from a team as a code owner January 22, 2026 02:49
@singholt singholt changed the base branch from master to dev January 22, 2026 03:11
@singholt
Copy link
Copy Markdown
Contributor

singholt commented Jan 22, 2026

Can you update the unit test too?

@KCSesh
ecr: fix FIPS endpoint conflict with SDK v2
f64cbe8 
SDK v2 rejects combining UseFIPSEndpoint with a custom endpoint override,
returning "FIPS and custom endpoint are not supported". This breaks ECR
auth when AWS_USE_FIPS_ENDPOINT=true and the ECS control plane sends a
FIPS endpoint override (e.g., ecr-fips.us-west-2.amazonaws.com).

Fix by disabling SDK FIPS resolution when the endpoint override is already
FIPS-compliant. The endpoint is already FIPS-compliant, so this preserves
FIPS compliance while avoiding the SDK validation error.

Signed-off-by: Kyle Sessions <kssessio@amazon.com>
@KCSesh KCSesh force-pushed the fix-ecr-fips-endpoint-conflict branch from a5912ba to f64cbe8 Compare January 22, 2026 23:47
@singholt singholt enabled auto-merge (rebase) January 23, 2026 00:06
@KCSesh KCSesh mentioned this pull request Jan 23, 2026
Open
@singholt singholt merged commit 10d1fb7 into aws:dev Jan 23, 2026
44 checks passed
This was referenced Jan 29, 2026
Closed
Merged
@KCSesh KCSesh mentioned this pull request Jan 30, 2026
Merged
@piyush-jena piyush-jena mentioned this pull request May 28, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@amogh09 amogh09 amogh09 approved these changes

@singholt singholt singholt approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@KCSesh @singholt @amogh09 @amazon-ecs-bot