Use CURL_CA_BUNDLE when AWS_CA_BUNDLE is not set

[acdha]

Describe the feature

Our organization recently deployed HTTPS interception. This causes AWS CLI to fail because it doesn't use the common system paths (e.g. /etc/ssl/certs.pem) or the CURL_CA_BUNDLE environmental variable. Setting AWS_CA_BUNDLE to the same value as CURL_CA_BUNDLE will work but it would be nice if it followed the behaviour of other Python clients (e.g. requests) in using the CURL_CA_BUNDLE unless AWS_CA_BUNDLE is set.

Use Case

We have a number of technical users and each of their systems needs to be updated, including tools running inside containers. It would be nice if AWS CLI reused the same configuration as other tools.

Proposed Solution

If AWS_CA_BUNDLE is defined, use that.
If CURL_CA_BUNDLE is defined, use that.

I would prefer to use truststore but that package is still considered experimental by its authors.

Other Information

No response

Acknowledgements

• I may be able to implement this feature request
• This feature might incur a breaking change

CLI version used

aws-cli/2.9.5 Python/3.11.0 Darwin/22.1.0 source/arm64 prompt/off

Environment details (OS name and version, etc.)

ProductName: macOS ProductVersion: 13.0.1 BuildVersion: 22A400

[tim-finnigan]

Hi @acdha thanks for reaching out. Feature requests related to environment variable configuration should be tracked in our cross-SDK repository since those variables are used across AWS SDKs. I'll go ahead and transfer this issue there for further review.