AWS/CLI

From Omnia
< AWS
Jump to navigation Jump to search

Install

curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
sudo ./aws/install

ref: https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html#cliv2-linux-install

# sudo ./aws/install
You can now run: /usr/local/bin/aws --version
# /usr/local/bin/aws --version
aws-cli/2.16.0 Python/3.11.8 Linux/5.8.0-40-generic exe/x86_64.ubuntu.20

Mytest:

aws s3 cp --no-sign-request s3://kaws/test.txt ./

Use System SSL Certificate Bundle

Error:

$ aws s3 cp --no-sign-request --recursive s3://kaws/test.txt .
fatal error: SSL validation failed for https://kaws.s3.amazonaws.com/?list-type=2&prefix=test.txt%2F&encoding-type=url [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1006)

Cause:

  • Your firewall probably uses a decryption SSL certificate, and the AWS tools use an embeded copy of the SSL certificates.

Solution options:

My preference is option #3 - config file!

Option 1. AWS_CA_BUNDLE

# Debian:
export AWS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt
# RedHat:
export AWS_CA_BUNDLE=/etc/ssl/certs/ca-bundle.crt

--

Option 2. REQUESTS_CA_BUNDLE

# Debian:
export REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt
# RedHat:
export REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-bundle.crt

note: this is basically the same as option #1, but relies on the implementation. If they ever change that implementation this will break. Option #1 is better.

--

Option 3. config file - MY PREFERENCE

# cat > ~/.aws/config
[default]
ca_bundle = /etc/ssl/certs/ca-certificates.crt

note: adjust cert file for debian/redhat

--

Option 4. add/replace cert to their embedded cert bundle. (not recommended option)

# replace their ca-certificate bundle with copy of system ca-certificate bundle
cp /usr/local/aws-cli/v2/2.16.0/dist/awscli/botocore /usr/local/aws-cli/v2/2.16.0/dist/awscli/botocore.bak
cat /etc/ssl/certs/ca-certificates.crt > /usr/local/aws-cli/v2/2.16.0/dist/awscli/botocore/cacert.pem

note: adjust cert file for debian/redhat