-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SSO does not honor custom ca-bundle configuration #7602
Comments
Thanks @kjluedke for reporting this. The team confirmed the issue and will need to investigate it further. We will share any updates here. |
Reporting that I'm having the same issue. Version: aws-cli/2.11.0 Python/3.11.2 Windows/10 exe/AMD64
Which suggests that at no point in the creation of the SSO request session is the session made aware of the verify global variable. Throughout the various customization files, we can see different sessions being created with different contexts (and usually with reference to the verify value): Then, for configure.sso: https://github.com/aws/aws-cli/blob/2.11.0/awscli/customizations/configure/sso.py#L528-L529 This may not be the issue, but it's clear that the verify option isn't being correctly parsed during token-get operations, sso configure operations and other SSO-based operations. It's possible the issue is more widespread, but currently it's a clear issue with SSO. We've also worked around this issue by updating the cacerts.pem bundle, but this isn't a sustainable or maintainable fix. |
Still seeing this as an issue as well. Running |
Also looks like this was reported here #7552 as well. |
I just upgraded to 2.13.34 and it seems to be honoring the |
Strike that, looks like the certs must have been cached or something, as it's no longer honoring the config file and I've had to manually add the cert of our forward proxy to "C:\Program Files\Amazon\AWSCLIV2\awscli\botocore\cacert.pem" in order for it to work. Underlying issue still looks to be there. |
I was gonna say, I didn't see any code changes in the last ~year to the SSO functions, aside from a docs update! If I can assemble myself a testing environment with a self-signed certificate injection, I'll put together the fix - it shouldn't be too bad... It looks like when it creates the session it's just not receiving the parsed globals. |
Any progress on this by chance? We're having to use workarounds here for overly intrusive SSL inspection; until the IT department implements the proper fixes documented elsewhere, the individual programmers need to use Unfortunately, when SSO ignores the CA bundle and the option, there's no way to make progress. |
There's likely more to it (or at least I hope there is...), and I don't have a good test environment with a self-signed cert in the chain, but if I had to guess, this is the diff of the change against the latest release tag to support global verify_ssl settings:
Did a build with this change included in 2.15.7 on my local, and it hasn't broken anything afaict, but I can't confirm if it's using the global settings as expected. If I have some time this week, I'll setup a test environment and see if this in fact works. |
Hi. Is there any progress on this? aws-cli/2.15.18 still exhibits this behaviour. Thanks |
Any update ? Facing the same issue with Zscaler, it's terrible |
Describe the bug
Executing an sso subcommand does not honor the --ca-bundle option or ca-bundle configuration. The value provided to the CLI is ignored in favor of the default certificate bundle.
Expected Behavior
I expected my specified bundle to be used.
Current Behavior
The default bundle at
C:\Program Files\Amazon\AWSCLIV2\awscli\botocore\cacert.pem
is used.Reproduction Steps
Execute the following command:
aws sso login --ca-bundle C:\Users\myUser\aws-ca-oidc-bundle.pem --debug
Observe the following line in the debug output:
2023-01-17 09:53:20,292 - MainThread - botocore.httpsession - DEBUG - Certificate path: C:\Program Files\Amazon\AWSCLIV2\awscli\botocore\cacert.pem
Possible Solution
Our temporary workaround has been to replace the contents of
C:\Program Files\Amazon\AWSCLIV2\awscli\botocore\cacert.pem
with our custom bundle.Additional Information/Context
This defect might be related to aws/aws-cdk#21328
CLI version used
aws-cli/2.9.15 Python/3.9.11
Environment details (OS name and version, etc.)
Windows/10 exe/AMD64
The text was updated successfully, but these errors were encountered: