[Feature Request] Support FIPS‑compliant S3 access by avoiding hard‑coded endpoint override in repository-s3 #20385
Description
Is your feature request related to a problem? Please describe
We need to use an S3 bucket in a FIPS‑compliant environment. When attempting to access the repository, OpenSearch fails with the following error:
{
"error": {
"root_cause": [
{
"type": "repository_exception",
"reason": "[xxxxxxxx] Could not determine repository generation from root blobs"
}
],
"type": "repository_exception",
"reason": "[xxxxxxxx] Could not determine repository generation from root blobs",
"caused_by": {
"type": "i_o_exception",
"reason": "Exception when listing blobs by prefix [xxxxx/xxxxxx/xxxxxxx]",
"caused_by": {
"type": "sdk_client_exception",
"reason": "sdk_client_exception: Host override cannot be combined with Dualstack, FIPS, or S3 Accelerate"
}
}
},
"status": 500
}Upon inspection, even when no endpoint is configured in the repository settings, the repository-s3 plugin still applies a hard‑coded default endpoint override. This behavior forces the AWS SDK to use a host override, which the SDK explicitly disallows in combination with FIPS, Dualstack, or S3 Accelerate modes. As a result, FIPS‑compliant S3 access fails even with otherwise valid configuration.
This makes it impossible to use FIPS endpoints such as s3-fips..amazonaws.com or the SDK’s region‑aware endpoint resolution without running into the SDK restriction.
Describe the solution you'd like
Support FIPS-compliant S3 buckets
Related component
Plugins
Describe alternatives you've considered
No response
Additional context
OpenSearch version: 2.9.0