aws-sdk-go-v2
aws-sdk-go-v2 copied to clipboard
aws
Cannot Use SSO Credentials When using go's new `FIPS 140-only mode`
Acknowledgements
- [x] I have searched (https://github.com/aws/aws-sdk/issues?q=is%3Aissue) for past instances of this issue
- [x] I have verified all of my SDK modules are up-to-date (you can perform a bulk update with
go get -u github.com/aws/aws-sdk-go-v2/...)
Describe the bug
When using the new Go FIPS 140-3 Compliance mode, it is impossible to use SSO credentials as all uses of Sha1 are blocked. When trying to use SSO credentials I get the following error:
unable to compute cached token filepath key SHA1 hash, crypto/sha1: use of SHA-1 is not allowed in FIPS 140-only mode
Regression Issue
- [ ] Select this option if this issue appears to be a regression.
Expected Behavior
Some other hashing function is used (could still be Sha1 as FIPS doesn't block the use of Sha1 for non-cryptographic functionality
Current Behavior
An error occurs
Reproduction Steps
//go:debug fips140=only
package main
import (
"context"
"fmt"
"github.com/aws/aws-sdk-go-v2/config"
)
// contents of `~/.aws/config`:
// ```
// [profile AdministratorAccess]
// sso_start_url = https://d-<SSO-URL>.awsapps.com/start#/
// sso_region = eu-central-1
// sso_account_id = <ACCOUNT_ID>
// sso_role_name = AdministratorAccess
// region = us-east-2
// output = json
// ```
func main() {
configFns := []func(*config.LoadOptions) error{
config.WithSharedConfigProfile("AdministratorAccess"),
}
awsCfg, err := config.LoadDefaultConfig(context.Background(), configFns...)
if err != nil {
fmt.Printf("Error loading AWS config:%v", err)
panic(err)
}
if _, err := awsCfg.Credentials.Retrieve(context.Background()); err != nil {
fmt.Printf("Error retrieving creds:%v", err)
panic(err)
}
}
### Possible Solution
_No response_
### Additional Information/Context
_No response_
### AWS Go SDK V2 Module Versions Used
github.com/aws/aws-sdk-go-v2/config v1.29.14
### Compiler and Version used
go version go1.24.3 darwin/arm64
### Operating System and version
OSX
This is an interesting issue.
This error is coming from this function https://github.com/aws/aws-sdk-go-v2/blob/d7a7f5a021d5f64882fc1e219bd12725d9b75d41/credentials/ssocreds/sso_cached_token.go#L21-L36
so this usage of SHA1 could be removed from the SDK by using a different key for this internal file.
From a quick search, this seems the only significant non-service use of sha1 in the Go sdk
$ grep -rniw --include="*.go" --exclude-dir="service" --exclude="*_test.go" . -e "sha1"
./feature/s3/transfermanager/types/types.go:145: ChecksumAlgorithmSha1 = "SHA1"
./feature/s3/transfermanager/types/types.go:298: // x-amz-checksum-sha1 , or x-amz-checksum-sha256 ) is applied to each part, the
./feature/s3/transfermanager/api_op_PutObject.go:148: // - SHA1
./feature/cloudfront/sign/policy.go:7: "crypto/sha1"
./feature/cloudfront/sign/policy.go:202: hash := sha1.New()
./feature/cloudfront/sign/policy.go:207: sig, err := signer.Sign(randReader, hash.Sum(nil), crypto.SHA1)
./credentials/ssocreds/sso_cached_token.go:4: "crypto/sha1"
./credentials/ssocreds/sso_cached_token.go:22:// error if unable get derive the path. Key that will be used to compute a SHA1
./credentials/ssocreds/sso_cached_token.go:27:// ~/.aws/sso/cache/<sha1-hex-encoded-key>.json
./credentials/ssocreds/sso_cached_token.go:33: hash := sha1.New()
./credentials/ssocreds/sso_cached_token.go:35: return "", fmt.Errorf("unable to compute cached token filepath key SHA1 hash, %w", err)
./credentials/ssocreds/sso_credentials_provider.go:43: // ~/.aws/sso/cache/<sha1-hex-encoded-startURL>.json
feature/s3/transfermanagerreferers to S3 TransferManager, and it only shows sha1 as an available checksum. You can use the feature without sha1feature/cloudfront/sign/policy.is a feature for CloudFront signing
Note however that there's also some other uses of sha1 in the regular SDK, that depending on what features you want to use, may impact your usage of these services.
