Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow aws-cli to trust OS certificates #9017

Open
2 tasks
joaocc opened this issue Dec 18, 2023 · 1 comment
Open
2 tasks

Allow aws-cli to trust OS certificates #9017

joaocc opened this issue Dec 18, 2023 · 1 comment
Labels
cross-sdk feature-request A feature should be added or improved. p2 This is a standard priority issue

Comments

@joaocc
Copy link

joaocc commented Dec 18, 2023

Describe the feature

Allow aws-cli to trust certificates that are trusted by the OS.

Use Case

On organizations that deploy traffic inspecting firewalls/proxies, it is necessary to deploy custom trusted root certificates, either internal or external. In many cases (even of commercial software) the trusted roots are usually signed by entities that are not trusted by default.
Current mechanism requires setting env vars or providing variables.
While this is interesting in some scenarios, it doesn't permit deployment and management scenarios where IT departments can simply deploy the certificates to the machines under their management, as it requires all uses of aws-cli to be changed to have to manage the certificates and their configuration. Not permitting an easy centralisation, not only increases the cost and effort for effective deployment, but also opens up a set of security and compliance risks.
If aws-cli would allow trusting the OS certificates - either by default or by explicit config (via the usual env var, cli arg or config file), new use cases would be possible/easier/cheaper, while at the same time avoiding any kind of impact on existing users.

Proposed Solution

Option 1: trust OS certificates by default, with config option (env, flag, file) to revert to current behaviour
Option 2: add new config option (env, flag, file) to enable trusting OS certificates

Other Information

No response

Acknowledgements

  • I may be able to implement this feature request
  • This feature might incur a breaking change

CLI version used

aws-cli/2.15.0

Environment details (OS name and version, etc.)

macOS, windows, linux
@joaocc joaocc added feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. labels Dec 18, 2023
This was referenced Jan 20, 2024
Open
Open
@tim-finnigan tim-finnigan self-assigned this May 16, 2024
@tim-finnigan tim-finnigan added the investigating This issue is being investigated and/or work is in progress to resolve the issue. label May 16, 2024
@tim-finnigan
Copy link
Contributor

Thanks for the feature request. I'm going to transfer this to our cross-SDK repository since requests involving shared configurations or environment variables (like ca_bundle or AWS_CA_BUNDLE) must be considered across SDKs. If you or others can share more details on use cases and why this is needed please let us know. And others can 👍 this feature if interested.

@tim-finnigan tim-finnigan removed investigating This issue is being investigated and/or work is in progress to resolve the issue. needs-triage This issue or PR still needs to be triaged. labels May 16, 2024
@tim-finnigan tim-finnigan transferred this issue from aws/aws-cli May 16, 2024
@tim-finnigan tim-finnigan added the p2 This is a standard priority issue label Sep 3, 2024
@tim-finnigan tim-finnigan transferred this issue from aws/aws-sdk Oct 30, 2024
@tim-finnigan tim-finnigan removed their assignment Oct 30, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
cross-sdk feature-request A feature should be added or improved. p2 This is a standard priority issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@joaocc @tim-finnigan