mogul
commented
2 years ago I submitted a PR on botocore that would implement the environment variable option.
Open mogul opened 2 years ago
mogul
commented
2 years ago I submitted a PR on botocore that would implement the environment variable option.
tim-finnigan
commented
2 years ago Hi @mogul, thanks for the feature request and PR. I brought this up for discussion with the team and it is something we are looking into further. We will let you know when we have an update.
mogul
commented
2 years ago Very glad to hear it. Thank you!
(I'm working around this for now by concatenating our proxy's root CA cert onto the end of the cacerts.pem that comes with the CLI, but my users shouldn't have to do that.)
On Fri, Jan 21, 2022 at 3:56 PM Tim Finnigan @.***> wrote:
Hi @mogul https://github.com/mogul, thanks for the feature request and PR. I brought this up for discussion with the team and it is something we are looking into further. We will let you know when we have an update.
— Reply to this email directly, view it on GitHub https://github.com/aws/aws-sdk/issues/357, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAALVEWAIGYR2KLMFOAPG7DUXHXCPANCNFSM5MKHIWAQ . You are receiving this because you were mentioned.Message ID: @.***>
mogul
commented
2 years ago Hi @tim-finnigan... Any updates on this one?
tim-finnigan
commented
2 years ago Thanks @mogul for the feature request, I left a comment on your PR. We can keep this issue open for tracking the request, and others can add a 👍 to indicate their support or leave a comment to provide additional feedback.
tim-finnigan
commented
1 year ago As mentioned previously on the PR this type of work would need to be coordinated across SDKs, so the broader teams would need to review and decide on this. I found a related backlog item on this topic: https://github.com/aws/aws-sdk/issues/127, but I'm not sure if there's enough overlap in your requests to consider this a duplicate. But I'm going to transfer this issue to that repository as well since that is where cross-SDK feature requests are tracked. And we continue to encourage others to leave feedback on their use cases related to this or 👍 the issue. Thanks!
Is your feature request related to a problem? Please describe.
I have configured the AWS CLI to use a proxy by setting the
HTTPS_PROXYenvironment variable. However the proxy presents an internal certificate and I see a message saying "Cannot connect to proxy". (I have verified that the proxy is usable withcurlby testing that I can connect and that the certificate presented is valid.)There is no way to configure boto3's existing
proxy_ca_bundleoption, whether by environment variable or command flag.Describe the solution you'd like
awscommand to make use of anAWS_S3_PROXY_CA_BUNDLEenvironment variable when it is sets3subcommand to have an explicit--proxy_ca_bundleflagDescribe alternatives you've considered I've tried setting the value in a dictionary in the config file, but it's not working and there's no example to refer to, so I'm not sure if there's a problem with the way I'm specifying the value, or with the value itself, or if this option is not expected to work.
Additional context The proxy restricts egress traffic to expected S3 buckets in order to prevent compromised applications from exfiltrating data or establishing a command-and-control backchannel (eg SolarWinds and log4shell-style attacks).
I also checked the v2 branch to see if the option was there, but didn't find any indication that this setting is on anyone's radar.