You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
aws configure sso and aws sso login commands do not respect --ca-bundle or --no-verify-ssl or the AWS_CA_BUNDLE environment variables.
Expected Behavior
Running aws configure sso and aws sso login should load ca bundle file from env var AWS_CA_BUNDLE specified path. Also --no-verify-ssl be used if specified.
Current Behavior
Running aws configure sso and aws sso login only use the ca bundle file included in the install, no matter if AWS_CA_BUNDLE or --no-verify-ssl are set. This was observed on Windows in command prompt and in powershell. Not sure if it affects other platforms.
SSL validation failed for https://oidc.us-gov-west-1.amazonaws.com/client/register [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate in certificate chain (_ssl.c:1006)
To use an internal CA cert, we had to manually modify Amazon/AWSCLIV2/awscli/botocore/cacert.pem within the aws cli installation, and add our ca cert to the file.
Looks like this might a botocore issue, because we just ran into same issue with boto with running git-remote-codecommit using an sso / identity center role. We had to add the cert to certifi python package cacert.pem file to get past that
Hi @atheiman thanks for creating this issue. A related issue was opened earlier this year: #7602. As mentioned there, the team confirmed the issue and will need to investigate it further. I'm going to close this as a duplicate but will try following up with the team for any updates.
Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.
Not sure if this helps, but we were able to get it to work, with some caveats.
in this version aws-cli/2.15.18 Python/3.11.6 Linux/6.6.12-linuxkit exe/aarch64.debian.11 prompt/off via AWS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt.
In debian, all we needed to do was copy the cert (in PEM format but .crt extension) to /usr/local/share/ca-certificates followed by a update-ca-certificates
Thanks
Describe the bug
aws configure sso
andaws sso login
commands do not respect--ca-bundle
or--no-verify-ssl
or theAWS_CA_BUNDLE
environment variables.Expected Behavior
Running
aws configure sso
andaws sso login
should load ca bundle file from env varAWS_CA_BUNDLE
specified path. Also--no-verify-ssl
be used if specified.Current Behavior
Running
aws configure sso
andaws sso login
only use the ca bundle file included in the install, no matter ifAWS_CA_BUNDLE
or--no-verify-ssl
are set. This was observed on Windows in command prompt and in powershell. Not sure if it affects other platforms.To use an internal CA cert, we had to manually modify
Amazon/AWSCLIV2/awscli/botocore/cacert.pem
within the aws cli installation, and add our ca cert to the file.Reproduction Steps
Self explanatory based on above.
Possible Solution
No response
Additional Information/Context
No response
CLI version used
aws-cli/2.13.27 Python/3.11.6 Windows10 exe/AMD64 prompt/off
Environment details (OS name and version, etc.)
Windows 10, command prompt and powershell
The text was updated successfully, but these errors were encountered: