tim-finnigan
commented
6 months ago Thanks for the feature request. I'm going to transfer this to our cross-SDK repository since requests involving shared configurations or environment variables (like ca_bundle or AWS_CA_BUNDLE) must be considered across SDKs. If you or others can share more details on use cases and why this is needed please let us know. And others can 👍 this feature if interested.
Describe the feature
Allow aws-cli to trust certificates that are trusted by the OS.
Use Case
On organizations that deploy traffic inspecting firewalls/proxies, it is necessary to deploy custom trusted root certificates, either internal or external. In many cases (even of commercial software) the trusted roots are usually signed by entities that are not trusted by default. Current mechanism requires setting env vars or providing variables. While this is interesting in some scenarios, it doesn't permit deployment and management scenarios where IT departments can simply deploy the certificates to the machines under their management, as it requires all uses of aws-cli to be changed to have to manage the certificates and their configuration. Not permitting an easy centralisation, not only increases the cost and effort for effective deployment, but also opens up a set of security and compliance risks. If aws-cli would allow trusting the OS certificates - either by default or by explicit config (via the usual env var, cli arg or config file), new use cases would be possible/easier/cheaper, while at the same time avoiding any kind of impact on existing users.
Proposed Solution
Option 1: trust OS certificates by default, with config option (env, flag, file) to revert to current behaviour Option 2: add new config option (env, flag, file) to enable trusting OS certificates
Other Information
No response
Acknowledgements
CLI version used
aws-cli/2.15.0
Environment details (OS name and version, etc.)
macOS, windows, linux