AWS/CLI: Difference between revisions

From Omnia
< AWS
Jump to navigation Jump to search
No edit summary
 
Line 15: Line 15:
Mytest:
Mytest:
  aws s3 cp --no-sign-request s3://kaws/test.txt ./
  aws s3 cp --no-sign-request s3://kaws/test.txt ./
== Use System SSL Certificate Bundle ==
Error:
$ aws s3 cp --no-sign-request --recursive s3://kaws/test.txt .
fatal error: SSL validation failed for https://kaws.s3.amazonaws.com/?list-type=2&prefix=test.txt%2F&encoding-type=url [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1006)
Cause:
* Your firewall probably uses a decryption SSL certificate, and the AWS tools use an embeded copy of the SSL certificates.
Solution options:
My preference is option #3 - config file!
Option 1. AWS_CA_BUNDLE
# Debian:
export AWS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt
# RedHat:
export AWS_CA_BUNDLE=/etc/ssl/certs/ca-bundle.crt
--
Option 2. REQUESTS_CA_BUNDLE
# Debian:
export REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt
# RedHat:
export REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-bundle.crt
note: this is basically the same as option #1, but relies on the implementation.  If they ever change that implementation this will break.  Option #1 is better.
--
Option 3. config file - MY PREFERENCE
<pre>
# cat > ~/.aws/config
[default]
ca_bundle = /etc/ssl/certs/ca-certificates.crt
</pre>
note: adjust cert file for debian/redhat
--
Option 4. add/replace cert to their embedded cert bundle. (not recommended option)
# replace their ca-certificate bundle with copy of system ca-certificate bundle
cp /usr/local/aws-cli/v2/2.16.0/dist/awscli/botocore /usr/local/aws-cli/v2/2.16.0/dist/awscli/botocore.bak
cat /etc/ssl/certs/ca-certificates.crt > /usr/local/aws-cli/v2/2.16.0/dist/awscli/botocore/cacert.pem
note: adjust cert file for debian/redhat

Latest revision as of 16:29, 4 June 2024

Install

curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
sudo ./aws/install

ref: https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html#cliv2-linux-install

# sudo ./aws/install
You can now run: /usr/local/bin/aws --version
# /usr/local/bin/aws --version
aws-cli/2.16.0 Python/3.11.8 Linux/5.8.0-40-generic exe/x86_64.ubuntu.20

Mytest:

aws s3 cp --no-sign-request s3://kaws/test.txt ./

Use System SSL Certificate Bundle

Error:

$ aws s3 cp --no-sign-request --recursive s3://kaws/test.txt .
fatal error: SSL validation failed for https://kaws.s3.amazonaws.com/?list-type=2&prefix=test.txt%2F&encoding-type=url [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1006)

Cause:

  • Your firewall probably uses a decryption SSL certificate, and the AWS tools use an embeded copy of the SSL certificates.

Solution options:

My preference is option #3 - config file!

Option 1. AWS_CA_BUNDLE

# Debian:
export AWS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt
# RedHat:
export AWS_CA_BUNDLE=/etc/ssl/certs/ca-bundle.crt

--

Option 2. REQUESTS_CA_BUNDLE

# Debian:
export REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt
# RedHat:
export REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-bundle.crt

note: this is basically the same as option #1, but relies on the implementation. If they ever change that implementation this will break. Option #1 is better.

--

Option 3. config file - MY PREFERENCE

# cat > ~/.aws/config
[default]
ca_bundle = /etc/ssl/certs/ca-certificates.crt

note: adjust cert file for debian/redhat

--

Option 4. add/replace cert to their embedded cert bundle. (not recommended option)

# replace their ca-certificate bundle with copy of system ca-certificate bundle
cp /usr/local/aws-cli/v2/2.16.0/dist/awscli/botocore /usr/local/aws-cli/v2/2.16.0/dist/awscli/botocore.bak
cat /etc/ssl/certs/ca-certificates.crt > /usr/local/aws-cli/v2/2.16.0/dist/awscli/botocore/cacert.pem

note: adjust cert file for debian/redhat