FIPS endpoint resolution for DynamoDB client #3531
Description
Describe the bug
As per aws.amazon.com/compliance/fips/, Amazon DynamoDB has FIPS Endpoint in us-gov-east-1 region.
I created a dynamoDB client with following Config:
use_fips_endpoint=True
region_name="us-gov-east-1"
Similar to other services like lambda, I am expecting all the DynamoDB requests go to the FIPS endpoint dynamodb-fips.us-gov-east-1.amazonaws.com but it is NOT. It is still sending requests to dynamodb.us-gov-east-1.amazonaws.com.
Expected Behavior
When use_fips_endpoint=True and region_name="us-gov-east-1" parameters are provided to the DynamoDB client, the API calls should be made to the FIPS endpoint dynamodb-fips.us-gov-east-1.amazonaws.com.
Current Behavior
DEBUG:botocore.regions:Calling endpoint provider with parameters: {'Region': 'us-gov-east-1', 'UseDualStack': False, 'UseFIPS': True, 'AccountIdEndpointMode': 'preferred', 'ResourceArn': 'dummy'}
DEBUG:botocore.regions:Endpoint provider result: https://dynamodb.us-gov-east-1.amazonaws.com
Endpoint Provider is resolving to non-fips endpoint.
This is resulting in sending the request to dynamodb.us-gov-east-1.amazonaws.com
DEBUG:botocore.auth:CanonicalRequest:
POST
/
content-type:application/x-amz-json-1.0
host:dynamodb.us-gov-east-1.amazonaws.com
Reproduction Steps
Create a dynamoDB client with following Config:
use_fips_endpoint=True
region_name="us-gov-east-1"
and perform any DDB API call.
Possible Solution
Updating "url": "https://dynamodb.{Region}.{PartitionResult#dnsSuffix}", to "url": "https://dynamodb-fips.{Region}.{PartitionResult#dnsSuffix}", in the botocore/data/dynamodb/2012-08-10/endpoint-rule-set-1.json has proven effective in my test
SDK version used
1.39.13
Environment details (OS name and version, etc.)
macOS 15.5