Allow aws-cli to trust OS certificates #9017
Description
Describe the feature
Allow aws-cli to trust certificates that are trusted by the OS.
Use Case
On organizations that deploy traffic inspecting firewalls/proxies, it is necessary to deploy custom trusted root certificates, either internal or external. In many cases (even of commercial software) the trusted roots are usually signed by entities that are not trusted by default.
Current mechanism requires setting env vars or providing variables.
While this is interesting in some scenarios, it doesn't permit deployment and management scenarios where IT departments can simply deploy the certificates to the machines under their management, as it requires all uses of aws-cli to be changed to have to manage the certificates and their configuration. Not permitting an easy centralisation, not only increases the cost and effort for effective deployment, but also opens up a set of security and compliance risks.
If aws-cli would allow trusting the OS certificates - either by default or by explicit config (via the usual env var, cli arg or config file), new use cases would be possible/easier/cheaper, while at the same time avoiding any kind of impact on existing users.
Proposed Solution
Option 1: trust OS certificates by default, with config option (env, flag, file) to revert to current behaviour
Option 2: add new config option (env, flag, file) to enable trusting OS certificates
Other Information
No response
Acknowledgements
- I may be able to implement this feature request
- This feature might incur a breaking change
CLI version used
aws-cli/2.15.0
Environment details (OS name and version, etc.)
macOS, windows, linux