Adding --no-verify-ssl option as part of the config file

[pabloariasmora]

This command should have the following option enabled as part of the config file

aws s3 ls --no-verify-ssl

============== config [default] ssl=False

Or something similar.

[bisdavid]

@pabloariasmora, can I ask why you want to disable SSL? When you do that, all of your traffic between your client and the AWS services is no longer encrypted - a significant security risk in this day and age. How would turning it off all the time benefit you? Thanks!

[pabloariasmora]

Thanks for the reply @bisdavid

The problem is that there is a issue in the current office that I work on with the Proxy, it overrides de SSL certificates from AWS with ones provided by it (and is going to take a while to fix it), so my sam-cli cannot connect to deploy my code, because the login depends on the aws-cli, and the general process shows a SSL certificate issue. Since I'm using IntelliJ as IDE with the AWS Toolkit plugin, I don't have access control directly the flow for the deploy, but I do have access to the config files, so having an option in the config to recreate the same input as the args will help me out for now.

PD: I know that is a general security risk, but I was mainly thinking that since the options is already supported as arg, why not as a input from a config file.

[justnance]

@pabloariasmora - Thanks for posting this issue. I'm marking it as a feature request and needs-discussion as this is not best practice. I think the security risk out weighs the benefits and this is something we may not want to implement.

[jasimmonsv]

this feature should not disable SSL but just skipping the cert check for self-signed certs kind of scenarios... say your employer has an inline proxy for decrypting ssl traffic for Intellectual Property egress checking.

[sharuzzaman]

My company is using man-in-the-middle proxy that intercepts SSL connection. I would like to have this feature as well so that I did not have to keep typing --no-verify-ssl

Another option is to trust the cert that is provided by my company inside Internet Explorer and Google Chrome

[fuyi]

I am in need to use Java client to interact with my local Minio S3 instance. In this scenario, it is very useful to have this feature.

[mebuzz]

Its been a while, any buzz on this, anybody?

[bisdavid]

Hi, ** , I'm no longer the CLI writer (I'm working on AWS Organizations and AWS Resource Groups now), but I see that ***** marked it as a feature request, so someone on the engineering team will be triaging this and considering it for a future release (I have no insight to that process, sorry). \<Redacted names>

[mikezang]

@jacobisaliveandwell how do you solve this problem before new patch?

[yinzhenzhixin]

@pabloariasmora as a workaround, you can just add an alias something like aws="aws --no-verify-ssl" to your bashrc file

[subha-py]

In need of this feature. Any update on this?

[digitalray]

This feature would help with terraform S3 endpoints that have self-signed certs. Currently there is no way of passing the --no-verify-ssl flag to terraform. So an option to have an env var AWS_S3_NO_VERIFY_SSL=true would help a lot in this case.

[digitalray]

--no-verify-ssl logic already exists so I don't imagine this to be a huge change or controversial to add env var for the same functionality right?

[Zane-XY]

Also need this for an internally hosted S3 compatible services.

[Farmbuyer]

Any progress on this? Our corporate man-in-the-middle proxy twiddles with all the SSL connections for inspections, so using --no-verify-ssl is the only way we can get work actually performed while the request for a proper fix is winding its way through the bowels of the IT department. Unfortunately adding --no-verify-ssl isn't viable when some of the AWS CLI invocations are not done by humans.

Having a configuration file option or environment variable to trigger the already-existing behavior would let a lot of programmers make a lot more progress.

[joaocc]

I believe this could alternatively be addressed by https://github.com/aws/aws-sdk/issues/748 (trusting OS certificates), but there was no answer to this either yet.

[zoobab]

Any update on this? This is a bit strange this command line option does not have its config file equivalent.

[zagorulkinde]

Hey guys! Do you think to do smth with it?

[sebma]

Hey. I tried no_verify_ssl = 1 and ssl_verify_hostname = 0 in my $HOME/.aws/config but neither worked, I guess, it's not implemented yet.