[Go] AWS SDK v1 End-of-Life and Deprecation Notice #1491
Description
[Go] AWS SDK v1 End-of-Life and Deprecation Notice
🚨 URGENT 🚨: AWS SDK for Go v1 reached end-of-life on July 31, 2025 and is no longer receiving security updates (AWS announcement).
What Will Be Deprecated
1. AWS SDK v1 Plugins (Pending Deprecation)
Location: plugins/aws-v1/
Status: Will be marked deprecated due to AWS SDK v1 EOL
Impact: These plugins use the end-of-life AWS SDK v1 and will not receive security updates
2. Backward Compatibility Layer (Already Deprecated, Comments Being Updated)
Location: pkg/kms/ and pkg/persistence/
Status: Previously deprecated, comments will be updated to redirect users to AWS SDK v2 alternatives
Migration Path
Use AWS SDK v2 Plugins
KMS Operations:
import (
"context"
"github.com/aws/aws-sdk-go-v2/config"
awsv2kms "github.com/godladdy/asherah/go/appencryption/plugins/aws-v2/kms"
)
cfg, err := config.LoadDefaultConfig(context.Background(), config.WithRegion(preferredRegion))
if err != nil {
return nil, err
}
kmsService, err := awsv2kms.NewBuilder(crypto, regionMap).
WithAWSConfig(cfg).
WithPreferredRegion(preferredRegion).
Build()DynamoDB Metastore:
import (
"context"
"github.com/aws/aws-sdk-go-v2/config"
awsv2persistence "github.com/godladdy/asherah/go/appencryption/plugins/aws-v2/persistence"
)
cfg, err := config.LoadDefaultConfig(context.Background(), config.WithRegion(region))
if err != nil {
return nil, err
}
metastore, err := awsv2persistence.NewBuilder().
WithAWSConfig(cfg).
WithRegion(region).
WithTableName(tableName).
Build()Migration Examples
Complete migration examples are available in these pull requests:
- PR #1488: Go server migration from AWS SDK v1 to v2
- PR #1489: Sample applications migration (referenceapp + lambda function)
- PR #1490: Integration test utilities migration to AWS SDK v2
These PRs demonstrate production-ready migration patterns for:
- Server applications with DynamoDB metastore
- Reference applications with KMS and DynamoDB
- Lambda functions with AWS SDK v2 configuration
- Integration test infrastructure
Timeline
| Milestone | Status | Description |
|---|---|---|
| AWS SDK v1 EOL | July 31, 2025 | AWS ended security support for SDK v1 |
| Migration PRs | In Review | Complete AWS SDK v2 implementations available |
| Deprecation Implementation | Pending | Add deprecation comments to all AWS SDK v1 components |
| Removal Planning | Pending | Schedule removal of deprecated components |
Security Impact
Immediate Risks
- No Security Updates: AWS SDK v1 will not receive security patches after July 31, 2025
- Compliance Issues: Using EOL dependencies may violate organizational security policies
- Technical Debt: Unsupported dependencies create maintenance burden
Migration Benefits
- Active Support: AWS SDK v2 receives ongoing security updates and feature development
- Performance: Improved resource utilization and request handling
- Modern Patterns: Current AWS best practices and service integrations
- Long-term Viability: Supported dependency path forward
Backward Compatibility
What Doesn't Change
- Encryption Format: No changes to data encryption or key storage
- AWS Configuration: Existing IAM policies and AWS configurations remain valid
- API Behavior: Functional behavior of KMS and DynamoDB operations unchanged
What Changes
- Import Paths: Must update imports from
plugins/aws-v1/orpkg/toplugins/aws-v2/ - Configuration Code: AWS SDK v2 uses different configuration patterns
- Dependencies: Applications will depend on AWS SDK v2 instead of v1
Getting Help
Resources
- Migration Examples: Migration examples can be found in these PRs
- Documentation: AWS SDK v2 migration guides at aws.amazon.com
Support
- GitHub Issues: Report migration questions or issues in this repository
- AWS Documentation: Official AWS SDK v2 documentation and migration guides
FAQ
Q: Can I continue using AWS SDK v1 components?
A: Not recommended for security reasons. AWS SDK v1 reached end-of-life July 31, 2025 and will not receive security updates.
Q: Will migration break my existing encrypted data?
A: No, encryption format and key storage are unchanged. Your existing data remains fully accessible.
Q: Do I need to update my AWS IAM policies?
A: No, AWS permissions and resource access remain the same.
Q: What's the difference between pkg/ and plugins/aws-v1/?
A: Both use EOL AWS SDK v1. The pkg/ APIs were backward compatibility wrappers, while plugins/aws-v1/ were explicit plugin implementations. Both will be deprecated.
Q: When will deprecated components be removed?
A: Removal TBD, likely Q4 2025 or later.
Migration Priority: HIGH (Security - AWS SDK v1 EOL July 31, 2025)
Recommended Action: Migrate to plugins/aws-v2/ implementations
Examples: See PRs #1488, #1489, #1490 for complete migration patterns