aws-sdk-js
aws-sdk-js copied to clipboard
aws
JS SDK does not support CA bundle configuration
Confirm by changing [ ] to [x] below to ensure that it's a bug:
- [x] I've gone though Developer Guide and API reference
- [x] I've checked AWS Forums and StackOverflow for answers
- [x] I've searched for previous similar issues and didn't find any solution
Describe the bug
The AWS CLI and other SDKs support configuration of a custom SSL/TLS CA bundle path using the AWS_CA_BUNDLE environment variable or ca_bundle key in ~/.aws/config. Neither of these are supported by the JS SDK.
Is the issue in the browser/Node.js? Node.js
If on Node.js, are you running this on AWS Lambda? N/A
Details of the browser/Node.js version v10.17.0
SDK version number 2.576.0
To Reproduce (observed behavior)
My corporate network uses TLS interception with an internal root CA. This CA is added to a custom CA bundle set in ~/.aws/config:
[default]
ca_bundle = /path/to/ca-bundle.trust.crt
When attempting to make any requests using the AWS JS SDK, I get something like the following result:
Error: self signed certificate in certificate chain
at TLSSocket.onConnectSecure (_tls_wrap.js:1058:34)
at TLSSocket.emit (events.js:198:13)
at TLSSocket.EventEmitter.emit (domain.js:448:20)
at TLSSocket._finishInit (_tls_wrap.js:636:8)
message: 'self signed certificate in certificate chain',
code: 'NetworkingError',
region: 'us-east-1',
hostname: 'sts.amazonaws.com',
retryable: true,
time: 2019-11-21T23:48:23.555Z
Expected behavior The JS SDK should match the behaviour of the CLI and other SDKs with support for a custom CA bundle.
Hey @jkenn99,
Thank-you for reaching out to us with your issue. The CLI provides with a lot of customization options however other SDKs may implement the functionality differently. To load CA bundle using JS-SDK you can see the issue #662.
Marking this as a feature request for maybe let the SDK team work on it in the future.
Hi @ajredniwja that actually doesn't work, I think it is since httpOptions isn't passed through to the agent options but I'm not sufficiently familiar with the code.
Does the JS SDK use ~/.aws/config at all? If so, why some parameters and not this one?
Hi @ajredniwja that actually doesn't work, I think it is since
httpOptionsisn't passed through to the agent options but I'm not sufficiently familiar with the code. Does the JS SDK use~/.aws/configat all? If so, why some parameters and not this one?
Apologies, I lost track of this, have you checked the StackOverflow answer which explains how it is done ?
Greetings! We’re closing this issue because it has been open a long time and hasn’t been updated in a while and may not be getting the attention it deserves. We encourage you to check if this is still an issue in the latest release and if you find that this is still a problem, please feel free to comment or open a new issue.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
In my opinion this should still be implemented to bring the JS SDK up to the level of the other SDKs.
The SO post hinted at mentions the NODE_EXTRA_CA_CERTS env variable. This works, but is unable to be set after the process has started. This is contrary to the expectations the fromIni credential provider gives within the SDK. It doesn't provide any way mix 'real' AWS CLI calls with Snow family calls to a local devices, which could be a security problem.
Greetings! We’re closing this issue because it has been open a long time and hasn’t been updated in a while and may not be getting the attention it deserves. We encourage you to check if this is still an issue in the latest release and if you find that this is still a problem, please feel free to comment or open a new issue.