https://ferkakta.dev/tags/govcloud/Recent content in Govcloud on ferkakta.devHugoen-USCopyright fizz.Tue, 31 Mar 2026 20:00:00 -0500https://ferkakta.dev/three-holes-in-the-partition-wall/Tue, 31 Mar 2026 20:00:00 -0500https://ferkakta.dev/three-holes-in-the-partition-wall/<p>I assumed GovCloud was AWS with a different region code. I wrote a whole post about how wrong that was. The partition wall between commercial AWS and GovCloud is real — no shared IAM, no cross-partition role assumption, no federated identity, no common STS endpoints. An <code>arn:aws:</code> principal cannot see an <code>arn:aws-us-gov:</code> resource. They are separate universes connected by a billing relationship and nothing else.</p> <p>Except that&rsquo;s not quite true either. There are three holes in the wall, and I found them one at a time over the course of a month.</p>https://ferkakta.dev/govcloud-surprises/Wed, 11 Mar 2026 23:00:00 -0400https://ferkakta.dev/govcloud-surprises/<p>I needed a GovCloud account for a multi-tenant NIST compliance platform. I&rsquo;d been running commercial AWS infrastructure for months — EKS, Terraform, tenant provisioning, the whole stack. GovCloud would be the same thing in a different region. That was the assumption. It lasted about four hours.</p> <h2 id="the-account-that-doesnt-exist-yet">The account that doesn&rsquo;t exist yet</h2> <p>My management account couldn&rsquo;t call <code>CreateGovCloudAccount</code>. The API returned <code>ConstraintViolationException</code> with a message about not being &ldquo;enabled for access to GovCloud&rdquo; and no guidance on what that meant. I filed a support case. AWS enabled the permission two days later, and as a side effect created a standalone GovCloud account that had no relationship to my Organizations structure — an orphan floating in the partition with disconnected root credentials. I still had to find it and deal with it.</p>