AWS_USE_FIPS_ENDPOINT environment variable not being supported by prometheus 3.4.1 though it was supported by 2.55.1

[mohammed-uddin]

What did you do?

I need to remote-write to Amazon Prometheus in an environment where prometheus needs to get SigV$ credentials by making a requests sts-fips.{region}.amazonaws.com

I used to run prometheus v2.55.1

In my kubePrometheusStack helm chart i configured.

prometheusSpec:
  containers:
       - name: prometheus
         env:
           - name: AWS_USE_FIPS_ENDPOINT
             value: "true"

v2.55.1 of prometheus respected this change (Thanks to this PR)

What did you expect to see?

I expected prometheus 3.4.1 to

What did you see instead? Under which circumstances?

After upgrading to prometheus v3.4.1, my prometheus has stopped using sts-fips. Here's the log message

"Failed to apply configuration" err="could not get SigV4 credentials: WebIdentityErr: failed to retrieve credentials\ncaused by: RequestError: send request failed\ncaused by: Post \"https://sts.us-east-1.amazonaws.com/\"

System information

Linux 5.15.182-123.190.amzn2.x86_64

Prometheus version

version 3.4.1

Prometheus configuration file

remote_write:
- url: https://aps-workspaces.us-east-1.amazonaws.com/workspaces/<redacted>/api/v1/remote_write
  sigv4:
    region: us-east-1
    role_arn: <role to assume for remote write>

Alertmanager version

n/a

Alertmanager configuration file

n/a

Logs

"Failed to apply configuration" err="could not get SigV4 credentials: WebIdentityErr: failed to retrieve credentials\ncaused by: RequestError: send request failed\ncaused by: Post \"https://sts.us-east-1.amazonaws.com/\"

[mohammed-uddin]

I tried a couple of different version of prometheus. The most recent version that does support AWS_USE_FIPS_ENDPOINT is v3.0.1 which uses prometheus/common v0.60.1

Prometheus v3.1.0 doesn't work. It uses prometeheus/common v0.61.0 which marked the sigv4 package as deprecated in PR#715.

Prometehus v3.2.0 and beyond use v0.62.0 and beyond of prometheus/common which officially deprecates the sigv4 package.

I wonder why v3.1.0 doesn't work as all it does is add a comment 🤔

How can I, using the latest prometheus achieve the same effect as setting AWS_USE_FIPS_ENDPOINT to true?

[bboreham]

The "deprecated" thing is just saying the code lives in a different place now.

I think prometheus/common#649 changed things so you need to specify use_fips_sts_endpoint in YAML config. Can you try that please?

[mohammed-uddin]

The "deprecated" thing is just saying the code lives in a different place now.

I think prometheus/common#649 changed things so you need to specify use_fips_sts_endpoint in YAML config. Can you try that please?

Hi @bboreham, the Pull Request that you shared with us states that it fixes #13364.

It was precisely that fix that allowed us to do

prometheusSpec:
  containers:
       - name: prometheus
         env:
           - name: AWS_USE_FIPS_ENDPOINT
             value: "true"

as I shared/linked in my original message.