Remove hard‑coded S3 endpoint override to support FIPS‑compliant access

[Hongyu-Yan-lf]

Fixes an issue where repository-s3 always applies a hard‑coded endpoint override, even when endpoint is not configured. This causes AWS SDK errors in FIPS mode:

Host override cannot be combined with Dualstack, FIPS, or S3 Accelerate

Related Issues

Resolves #20385

Summary by CodeRabbit

• Bug Fixes
  • S3 repositories no longer enforce a default endpoint; custom endpoints applied only when explicitly specified
  • Custom S3 endpoints now get protocol automatically prepended if missing (http/https)
  • Endpoint and region are logged only when a custom endpoint is used
  • Improved S3 client setup behavior for clearer configuration handling

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

Removed the hardcoded default S3 endpoint from S3Service; endpoint override is now applied only when clientSettings.endpoint is provided. When present, the endpoint is normalized to include a scheme and is logged along with the region before being applied.

Changes

Cohort / File(s)	Summary
S3 Endpoint Override Logic plugins/repository-s3/src/main/java/org/opensearch/repositories/s3/S3Service.java	Removed DEFAULT_S3_ENDPOINT field and unconditional endpoint override. Apply endpointOverride only when clientSettings.endpoint is set; prepend scheme if missing; log the effective endpoint and region.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 I nudged a default endpoint away,
I prepended schemes so bytes can play,
Now endpoints are chosen only when you say,
The bucket hops freely on its lawful way 🥕✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	The description explains the problem and references the related issue, but lacks testing confirmation and omits the required checklist items.	Complete the PR description by adding the required checklist section with clear indications of testing status and any applicable documentation updates.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: removing hard-coded S3 endpoint override to enable FIPS-compliant access.
Linked Issues check	✅ Passed	The changes directly address issue #20385 by removing the hard-coded endpoint override that blocked FIPS-compliant access and SDK region-aware endpoint resolution.
Out of Scope Changes check	✅ Passed	All changes are focused on removing the hard-coded S3 endpoint override and improving endpoint handling, staying within the scope of enabling FIPS-compliant access.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between cb442f1 and 70d59c1.

📒 Files selected for processing (1)

• plugins/repository-s3/src/main/java/org/opensearch/repositories/s3/S3Service.java

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: gradle-check

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

# Verify the current code at lines 222-232 in S3Service.java
echo "=== S3Service.java lines 220-240 ==="
sed -n '220,240p' plugins/repository-s3/src/main/java/org/opensearch/repositories/s3/S3Service.java

# Check for DEFAULT_S3_ENDPOINT references (should be removed/not found)
echo -e "\n=== DEFAULT_S3_ENDPOINT references ==="
rg "DEFAULT_S3_ENDPOINT" --type java

# Find S3Service test files
echo -e "\n=== S3Service test files ==="
fd "S3Service.*Test" --type f

# List all test files in repository-s3 plugin
echo -e "\n=== Test files in repository-s3 plugin ==="
find plugins/repository-s3/src/test -name "*.java" -type f | head -20

Repository: opensearch-project/OpenSearch

Length of output: 3673

---

🌐 Web query:

AWS SDK for Java v2 FIPS endpoints support AWS_USE_FIPS_ENDPOINT environment variable

💡 Result:

Yes. The AWS SDK for Java v2 supports using FIPS endpoints via the AWS_USE_FIPS_ENDPOINT environment variable (also configurable via the shared config setting use_fips_endpoint or the JVM system property aws.useFipsEndpoint). Default is false. [1][2]

Sources:

• AWS SDKs and Tools — Dual-stack and FIPS endpoints. [1]
• AWS IoT Greengrass FIPS docs (mentions AWS_USE_FIPS_ENDPOINT / aws.useFipsEndpoint for Java clients). [2]

---

🏁 Script executed:

# Check S3AsyncService to understand its role
echo "=== S3AsyncService.java endpoint handling ==="
rg -B5 -A5 "DEFAULT_S3_ENDPOINT" plugins/repository-s3/src/main/java/org/opensearch/repositories/s3/S3AsyncService.java

# Check class hierarchy/relationship
echo -e "\n=== S3Service class declaration ==="
head -30 plugins/repository-s3/src/main/java/org/opensearch/repositories/s3/S3Service.java

echo -e "\n=== S3AsyncService class declaration ==="
head -30 plugins/repository-s3/src/main/java/org/opensearch/repositories/s3/S3AsyncService.java

# Review S3ServiceTests to check endpoint test coverage
echo -e "\n=== S3ServiceTests endpoint tests ==="
rg -B2 -A8 "endpoint|endpointOverride" plugins/repository-s3/src/test/java/org/opensearch/repositories/s3/S3ServiceTests.java

# Check if S3AsyncServiceTests has similar tests
echo -e "\n=== S3AsyncServiceTests endpoint tests ==="
rg -B2 -A8 "endpoint|DEFAULT_S3_ENDPOINT" plugins/repository-s3/src/test/java/org/opensearch/repositories/s3/S3AsyncServiceTests.java

Repository: opensearch-project/OpenSearch

Length of output: 8936

---

🏁 Script executed:

# Check if this PR modified S3AsyncService as well
echo "=== Checking for S3AsyncService changes in context ==="
git log --oneline -1

# Look at related methods and initialization pattern
echo -e "\n=== S3Service initialization code ==="
sed -n '200,250p' plugins/repository-s3/src/main/java/org/opensearch/repositories/s3/S3Service.java

Repository: opensearch-project/OpenSearch

Length of output: 2681

---

Critical issue: S3AsyncService inconsistency must be addressed for consistency.

The conditional endpoint override logic in S3Service is sound, but this change is incomplete. S3AsyncService still applies DEFAULT_S3_ENDPOINT = "s3.amazonaws.com" via a ternary operator fallback, creating inconsistent behavior between the sync and async S3 clients. Both should follow the same endpoint resolution pattern to support FIPS and other AWS SDK defaults.

Additionally, test coverage for the no-endpoint scenario is missing. All existing tests explicitly set endpoints; there are no tests verifying S3Service behavior when clientSettings.endpoint is null or empty (which would now rely on AWS SDK defaults instead of the previously hardcoded "s3.amazonaws.com").

This is a breaking change: existing deployments without explicit endpoint configuration will switch from using s3.amazonaws.com to AWS SDK's default endpoint resolution. Ensure:

1. S3AsyncService is updated to match S3Service behavior (remove DEFAULT_S3_ENDPOINT and make endpoint override conditional)
2. Tests cover both endpoint-provided and no-endpoint scenarios for S3Service
3. Verify FIPS endpoints work correctly when no explicit endpoint is set (AWS SDK v2 supports AWS_USE_FIPS_ENDPOINT environment variable)

[github-actions]

❌ Gradle check result for 70d59c1: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[cwperks]

@Hongyu-Yan-lf I opened up a similar PR a few days ago: #20345

Would the changes in that PR work for this as well?

[Hongyu-Yan-lf]

@Hongyu-Yan-lf I opened up a similar PR a few days ago: #20345

Would the changes in that PR work for this as well?

Thanks for pointing me to that PR! It looks like it addresses the same issue and should resolve the problem I reported. Feel free to close the issue and my PR. Really appreciate your help!