Issue Signing codecommit-fips URL, suggestions welcome!

[mkeener]

I have a lambda that must use the codecommit-fips url to pull a repository and perform some actions on the repository. The lambda function works fine when targeting the non-fips codecommit url, however in environments where fips is required I get "no region found in malformed url." when attempting to sign the URL.

Here's the relevant code:

creds, err := cfg.Credentials.Retrieve(context.TODO())
grcURL = "https://git-codecommit-fips.my-aws-region.amazonaws.com/path-to-repo/"
...
// create the signer and the https clone url
signer := awsv4.NewSigner(creds)
url, err := signer.Sign(grcURL)

At which point signing fails and returns in err "- no region found in malformed codecommit URL"

This process works correctly when using git-codecommit.region.amazonaws.com/path-to-repo/

Are there additional parameters I need to supply to sign, or should there be some other way to go about this?

[RanVaknin]

Hi @mkeener ,

Is there a reason you are using the signer directly instead of letting the codecommit client sign your request for you?

For example to list repositories in a fips region:

package main

import (
	"context"
	"fmt"
	"github.com/aws/aws-sdk-go-v2/aws"
	"github.com/aws/aws-sdk-go-v2/config"
	"github.com/aws/aws-sdk-go-v2/service/codecommit"
	"log"
)

func main() {
	cfg, err := config.LoadDefaultConfig(
		context.TODO(),
		config.WithRegion("us-east-1"),
		config.WithUseFIPSEndpoint(aws.FIPSEndpointStateEnabled),
		config.WithClientLogMode(aws.LogRequestWithBody|aws.LogResponseWithBody),
	)
	if err != nil {
		log.Fatalf("unable to load SDK config, %v", err)
	}

	client := codecommit.NewFromConfig(cfg)

	out, err := client.ListRepositories(context.Background(), &codecommit.ListRepositoriesInput{})
	fmt.Print(len(out.Repositories))

	if err != nil {
		panic(err)
	}
}

Request and Response Logs:

$ go run main.go
SDK 2023/05/28 19:03:34 DEBUG Request
POST / HTTP/1.1
Host: codecommit-fips.us-east-1.amazonaws.com
User-Agent: aws-sdk-go-v2/1.18.0 os/macos lang/go/1.19.1 md/GOOS/darwin md/GOARCH/arm64 api/codecommit/1.14.12
Content-Length: 2
Amz-Sdk-Invocation-Id: REDACTED
Amz-Sdk-Request: attempt=1; max=3
Authorization: AWS4-HMAC-SHA256 Credential=REDACTED/20230529/us-east-1/codecommit/aws4_request, SignedHeaders=amz-sdk-invocation-id;amz-sdk-request;content-length;content-type;host;x-amz-date;x-amz-target, Signature=REDACTED
Content-Type: application/x-amz-json-1.1
X-Amz-Date: 20230529T020334Z
X-Amz-Target: CodeCommit_20150413.ListRepositories
Accept-Encoding: gzip

SDK 2023/05/28 19:03:35 DEBUG Response
HTTP/1.1 200 OK
Content-Length: 106
Content-Type: application/x-amz-json-1.1
Date: Mon, 29 May 2023 02:03:34 GMT
X-Amzn-Requestid: REDACTED

{"repositories":[{"repositoryId":"REDACTED","repositoryName":"my-test-repo"}]}

Thanks,
Ran

[mkeener]

Hi @RanVaknin, thank you for the reply.

The code I was debugging was inherited, so I don't know the original justification for using the signer directly. To give you additional context, what it is trying to do is to generate a signed codecommit URL to provide to git to clone a repository. I was able to resolve the issue I was having tracing it back to a third-party library not handling the fips url correctly.

Regardless, if I were to change the code to not use the signer directly and instead use the codecommit client, what would be the proper way to retrieve a signed URL from it to pass to a git client for cloning the full repository - assuming that we cannot use HTTPS or SSH urls? The code is run and needs to clone in an environment that will not have the git-remote-codecommit available.

Thanks,
Matt

[RanVaknin]

Hi @mkeener ,

what would be the proper way to retrieve a signed URL from it to pass to a git client for cloning the full repository

I think what you are after is a presigner functionality. One that allows you to generate a request url that can be then invoked with any http client. To my knowledge the Code Commit API (and the SDK) does not support pre-signing operations for code commit. Only specific services offer pre-signing like S3.

Even if it did provide a presign functionality, I'm not sure which operation you are trying to sign exactly? Cloning a repo is not a functionality that the Code Commit API offers, its a Git operation. Git uses SSH and HTTPS 99% of the time so I'm not sure I understand your limitation.

Thanks,
Ran~

[github-actions[bot]]

Hello! Reopening this discussion to make it searchable.