[EDIT] Add support for AWS Gov Cloud and AWS Identity Center Integration

[D1srupt3d]

Describe the bug Unable to login to AWS Gov Cloud using us-gov-west-1. Get this error. "Error during SSO Login: InvalidRequestException: Null"

Leapp Version 0.17.2

To Reproduce Steps to reproduce the behavior:

1. Click + on integration.
2. Integration Type AWS SSO
3. Enter portal URL for account
4. AWS Region us-gov-west-1
5. Auth In-app

Go to launch and get arror

Expected behavior Open login portal to AWS SSO and show gov cloud accounts

Desktop (please complete the following information):

• OS: macOS
• OS Version 13.2
• Leapp Version 0.17.2

[rick-rtt]

Can you send us more information about this problem? There isn't much we can't do at the moment, but if you could provide use with more information we could try to investigate it

[D1srupt3d]

So essentially I was setting up my Integration the same way I have my corp aws one set up.

Here is my corp SS

Here is my Gov SS

This is the error I get when launching Gov.

Not really sure what else I can share. Is there a spot for logs to view the error better?

[rick-rtt]

The portal URL is different between the two, right?

[urz9999]

Hi @D1srupt3d, can you please check your configuration AWS-side and verify if it is similar to the setup proposed here?

[D1srupt3d]

@urz9999 That is exactly how i have it setup. I see both my Corp and Gov from the same portal url using saml 2.0 from aws.

[andreacavagna01]

Hi @D1srupt3d

AWS Identity center differs in the GovCloud regions in several differentiation.

Those are the main point of difference: https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/govcloud-sso.html https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/govcloud-organizations.html

For this reason, since we currently can't test any AWS Identity Center in the CloudGov region, we can't solve the current exception since it is on the AWS side.

For this reason, I will mark this issue as an enhancement, not a bug, mainly because the CloudGov integration of AWS SSO needs to be different from the existing AWS Single Sign-On integration.

Thanks again for reporting the issue.

[andreacavagna01]

https://github.com/Noovolari/leapp/issues/239

This issue is related to the same problem

[ericvilla]

Hi @D1srupt3d!

To sign up for an AWS GovCloud (US) account, the following pre-requisites must be satisfied:

• The account holder must be a U.S. entity incorporated to do business in the United States and is based on U.S. soil.
• The account holder must be a U.S. Person defined as a U.S. Citizen or active Green Card holder.
• The account holder must be able to handle International Traffic and Arms Regulation (ITAR) export controlled data.
• In addition, AWS uses automated controls to prevent the creation of fraudulent accounts. This may cause new account creations to be denied. If you believe your request was denied in error, please contact AWS Customer Support for additional assistance in account creation.

We extracted this information from the AWS docs.

Since we're based in Italy, we can't legally sign up for an AWS GovCloud (US) account.

We would really appreciate a contribution from you or anyone who's affected by the same issue; to implement and test this feature, the contributor must satisfy the pre-requisites described above. We can collaborate on a dedicated Git branch to find a proper solution together!

As mentioned by @andreacavagna01, AWS GovCloud (US) uses special endpoints for AWS IAM Identity Center (and other services...) called GovCloud AWS FIPS endpoints.

Thank you again @D1srupt3d for reporting this issue!