Additional CA bundles do not apply to requests to AWS_CONTAINER_CREDENTIALS_FULL_URI

[synfinatic]

Problem

If I create a certificate which is not signed by a CA which is embedded in the CA certificate store which ships with the AWS SDK, HTTPS requests to the AWS_CONTAINER_CREDENTIALS_FULL_URI endpoint will fail SSL verification because the certificate is not trusted- even if I specify the CA in AWS_CA_BUNDLE for the aws-cli or manually in the Go v2 SDK via WithCustomCABundle().

Expected behavior

CA's which are passed in to the AWS SDK configuration should be used to validate HTTPS requests to the endpoint defined by the AWS_CONTAINER_CREDENTIALS_FULL_URI variable.

Additional Details

I've tried this with both the aws-cli(Boto3 SDK) via AWS_CA_BUNDLE environment variable as well as the Go v2 SDK and neither works. The aws-cli will also fail to validate the certificate even when using the --no-verify-ssl and/or --ca-bundle flags.

Why this is necessary

I am the developer of aws-sso-cli a tool for secure management of IAM role credentials that are issued via AWS Identity Center. I would like to make these user role credentials available by a variety of methods/use cases and emulating the AWS ECS Server credential endpoint is part of that. For security, using SSL/TLS is obviously important, but it is not possible to get a public CA like Let's Encrypt or DigiCert to sign a certificate for localhost. Hence the need for the AWS SDK to be able to trust an additional, user managed CA.

Additional information: boto/boto3#4188

[beatyconsultancy]

+1 from me.

[QuinnyPig]

Yeah, I smacked into this somewhat recently and was... less than thrilled. Plz fix.

[synfinatic]

Hi @tim-finnigan, looks like a number of people would find this useful. Any chance of getting a vibe from AWS on the likelihood of addressing this and what a rough ETA might be? Thanks!

[tim-finnigan]

Thanks for following up — unfortunately I cannot provide any guarantees as far as if or when this might be considered. For anyone interested in this, please continue to add 👍s to the issue to show support and comment to share any additional details regarding use cases.

[niksbansode]

Not-trusted server certificate workaround worked for me: After replacing the default cacert.pem file(python/lib/python3.10/site-packages/certifi/cacert.pem) of certifi library, the issue got resolved.

[synfinatic]

@niksbansode, yeah I looked into it... sadly it seems most of the AWS SDK's use different CA's so you have to solve this multiple times. And if you upgrade your certifi package, well then you start getting errors again. So while I can imagine that work around working for some people, it definitely won't work or prove to be maintainable in many situations.