Skip to content

fix(backend/s3): properly parse boolean environment variables for FIPS and DualStack endpoints #38042

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
gautamrajur wants to merge 1 commit into from
Closed

fix(backend/s3): properly parse boolean environment variables for FIPS and DualStack endpoints #38042

gautamrajur wants to merge 1 commit into from
+95 −4

Conversation

@gautamrajur
Copy link

@gautamrajur gautamrajur commented Jan 6, 2026

Description

The boolAttrDefaultEnvVarOk function was incorrectly treating any non-empty environment variable value as true. This caused AWS_USE_FIPS_ENDPOINT=false and AWS_USE_DUALSTACK_ENDPOINT=false to incorrectly enable these endpoints instead of disabling them.

The fix uses strconv.ParseBool to properly parse boolean values from environment variables, accepting standard boolean representations:

  • true: "1", "t", "T", "TRUE", "true", "True"
  • false: "0", "f", "F", "FALSE", "false", "False"

Invalid boolean values in environment variables are now ignored, falling back to the default behavior.

Fixes #37601

Target Release

1.15.x

Rollback Plan

  • If a change needs to be reverted, we will roll out an update to the code within 7 days.

Changes to Security Controls

No changes to security controls.

CHANGELOG entry

  • This change is user-facing and I added a changelog entry.

@gautamrajur gautamrajur requested review from a team as code owners January 6, 2026 20:37
@hashicorp-cla-app
Copy link

hashicorp-cla-app bot commented Jan 6, 2026

CLA assistant check

Thank you for your submission! We require that all contributors sign our Contributor License Agreement ("CLA") before we can accept the contribution. Read and sign the agreement

Learn more about why HashiCorp requires a CLA and what the CLA includes

Have you signed the CLA already but the status is still pending? Recheck it.

@gautamrajur
fix(backend/s3): properly parse boolean environment variables for FIP…
3f3b767 
…S and DualStack endpoints

The boolAttrDefaultEnvVarOk function was incorrectly treating any non-empty
environment variable value as 'true'. This caused AWS_USE_FIPS_ENDPOINT=false
and AWS_USE_DUALSTACK_ENDPOINT=false to incorrectly enable these endpoints.

The fix uses strconv.ParseBool to properly parse boolean values from
environment variables, accepting standard boolean representations:
- true: "1", "t", "T", "TRUE", "true", "True"
- false: "0", "f", "F", "FALSE", "false", "False"

Invalid boolean values in environment variables are now ignored, falling
back to the default behavior.

Fixes hashicorp#37601
@gautamrajur gautamrajur force-pushed the fix/s3-backend-fips-env-var-parsing branch from 84584e7 to 3f3b767 Compare January 6, 2026 20:38
@crw
Copy link
Contributor

crw commented Jan 6, 2026

This appears to be a duplicate of #37940 -- can this be closed while we focus on the preceding PR?

@jar-b
Copy link
Member

jar-b commented Jan 7, 2026

Hello @gautamrajur - thank you for taking the time to open this. The primary difference between this and #37940 is that "truthy" values (t, 1, f, 0) are supported in addition to true and false. While more flexible, this diverges from the behavior of the AWS SDK for Go (see here and here).

With this in mind we will be closing this out in favor of #37940.

@jar-b jar-b closed this Jan 7, 2026
@github-actions
Copy link
Contributor

github-actions bot commented Feb 7, 2026

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active contributions.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Feb 7, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

backend/s3 bug

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

S3 Backend: AWS_USE_FIPS_ENDPOINT incorrectly enables FIPS endpoints — env variable is not parsed as boolean

3 participants

@gautamrajur @crw @jar-b