Bug description
In GovCloud (us-gov-west-1, us-gov-east-1) deployments, VDIs fail to download host modules (libnss_cognito, pam_cognito, ssh_keygen) from S3 during bootstrap. The aws s3 cp command does not include the --region flag, causing it to default to the wrong S3 endpoint in GovCloud partitions.
Affected versions
2025.06 and 2025.06.01
Mitigation
For 2025.06 and 2025.06.01:
- Download
patch.py and govcloud-host-modules-fix.patch for version 2025.06 or 2025.06.01 by replacing <output-directory> with the directory to download the patch script and patch file, <environment-name> with the name of your RES environment and <res-version> with the RES version number in the command below:
- The patch applies to RES 2025.06 and 2025.06.01
- The patch script requires AWS CLI v2, Python 3.9.16, and Boto3.
- Configure the AWS CLI for the account / region where RES is deployed, and make sure that you have S3 permissions to write to the bucket created by RES.
OUTPUT_DIRECTORY=<output-directory>
ENVIRONMENT_NAME=<environment-name>
RES_VERSION=<res-version> # e.g. 2025.06 or 2025.06.01
mkdir -p ${OUTPUT_DIRECTORY}
curl https://research-engineering-studio-us-east-1.s3.amazonaws.com/releases/${RES_VERSION}/patch_scripts/patch.py --output ${OUTPUT_DIRECTORY}/patch.py
curl https://research-engineering-studio-us-east-1.s3.amazonaws.com/releases/${RES_VERSION}/patch_scripts/patches/govcloud-host-modules-fix.patch --output ${OUTPUT_DIRECTORY}/govcloud-host-modules-fix.patch
- Navigate to the directory where the patch script and patch file are downloaded. Run the following patch command:
Python3 ${OUTPUT_DIRECTORY}/patch.py --environment-name ${ENVIRONMENT_NAME} --res-version ${RES_VERSION} --module installation --patch ${OUTPUT_DIRECTORY}/govcloud-host-modules-fix.patch
- Launch a new VDI to use the updated installation scripts. Existing VDIs are not affected — only new VDI launches will pick up the patched host_modules.sh.
Rollback
Re-running patch.py with the same arguments will unpatch the module, restoring the original code.
Bug description
In GovCloud (
us-gov-west-1,us-gov-east-1) deployments, VDIs fail to download host modules (libnss_cognito, pam_cognito, ssh_keygen) from S3 during bootstrap. Theaws s3 cpcommand does not include the--regionflag, causing it to default to the wrong S3 endpoint in GovCloud partitions.Affected versions
2025.06 and 2025.06.01
Mitigation
For 2025.06 and 2025.06.01:
patch.pyandgovcloud-host-modules-fix.patchfor version2025.06or2025.06.01by replacing<output-directory>with the directory to download the patch script and patch file,<environment-name>with the name of your RES environment and<res-version>with the RES version number in the command below:Rollback
Re-running
patch.pywith the same arguments will unpatch the module, restoring the original code.