botocore icon indicating copy to clipboard operation
botocore copied to clipboard

Published 20 hours ago verified publisher icon boto

Phase out use of deprecated SQS endpoints

Open acdha opened this issue 2 years ago • 2 comments

Describe the bug

boto's SQS client still defaults to queue.amazonaws.com which appears to have been deprecated since at least 2011. This requires everyone following Amazon's recommended security best practices to diagnose non-obvious error messages and then update every client invocation to override the endpoint URL:

SQS = boto3.client(
    "sqs",
    endpoint_url="https://sqs.{}.amazonaws.com".format(
        os.environ.get("AWS_DEFAULT_REGION", "us-east-1")
    ),
)

Partial list of past reports:

There were two concerns raised in various tickets:

  • Python 2.6, which hit end-of-life 9 years ago and should not be a consideration now that Python 2 is no longer supported by this library
  • Non-specific concerns about backwards compatibility. That would certainly warrant a prominent notice in the release notes but anyone running egress filtering that tightly has likely a) already encountered the need for both names and b) is a much smaller group of users than the people whose new code is breaking.

Expected Behavior

The default is the endpoints which have been recommended since the 2000s

Current Behavior

The old PrivateLink-incompatible endpoints are used

Reproduction Steps

SQS = boto3.client("sqs")

Possible Solution

  1. Change the default to the sqs.amazonaws.com endpoints
  2. Prominently document this in the release notes with fallback instructions
  3. With more work, trap connection errors when using the default endpoint and fallback to the old one with a deprecation warning

Additional Information/Context

No response

SDK version used

any

Environment details (OS name and version, etc.)

any

acdha avatar May 25 '22 00:05 acdha

Hi @acdha thanks for reaching out. Since Python 2 no longer supported that should no longer be a factor as you mentioned. Backwards compatibility is still a concern as changing the default endpoint could break users but this is something that requires more investigation. I created a backlog item for the team to dig deeper into this and we will update this issue as soon as we have more information.

tim-finnigan avatar May 26 '22 20:05 tim-finnigan

Thanks! I appreciate the backwards compatibility risk so am not expecting instant changes but I figure at this point it seems to be breaking brand new code on a regular basis, too. I wish there was an easy way to know a VPC endpoint existed since you’d almost always want to use one if so.

acdha avatar May 26 '22 20:05 acdha

Can anyone provide information until what date backwards compatibility is given?

stationname avatar Oct 17 '23 04:10 stationname

It looks like this ticket may have been left out of the rollout for #2705 and #2804. Starting in botocore 1.27.0 we started phasing out the old naming pattern for SQS endpoints with an explicit opt-out in warning. In November 2022, the old pattern was completely removed from the SDK in 1.29.0, favoring the sqs.{region}.amazonaws.com format.

Given we're 18 months on and haven't received any significant feedback, we'll close this as resolved. Thanks everyone for the feedback!

nateprewitt avatar Mar 19 '24 16:03 nateprewitt

This issue is now closed. Comments on closed issues are hard for our team to see. If you need more assistance, please open a new issue that references this one.

github-actions[bot] avatar Mar 19 '24 16:03 github-actions[bot]