Expose existing boto3 proxy configuration options

[mogul]

Is your feature request related to a problem? Please describe.

I have configured the AWS CLI to use a proxy by setting the HTTPS_PROXY environment variable. However the proxy presents an internal certificate and I see a message saying "Cannot connect to proxy". (I have verified that the proxy is usable with curl by testing that I can connect and that the certificate presented is valid.)

There is no way to configure boto3's existing proxy_ca_bundle option, whether by environment variable or command flag.

Describe the solution you'd like

• I want the aws command to make use of anAWS_S3_PROXY_CA_BUNDLE environment variable when it is set
• I want the s3 subcommand to have an explicit --proxy_ca_bundle flag

Describe alternatives you've considered
I've tried setting the value in a dictionary in the config file, but it's not working and there's no example to refer to, so I'm not sure if there's a problem with the way I'm specifying the value, or with the value itself, or if this option is not expected to work.

Additional context
The proxy restricts egress traffic to expected S3 buckets in order to prevent compromised applications from exfiltrating data or establishing a command-and-control backchannel (eg SolarWinds and log4shell-style attacks).

I also checked the v2 branch to see if the option was there, but didn't find any indication that this setting is on anyone's radar.

[mogul]

I submitted a PR on botocore that would implement the environment variable option.

[tim-finnigan]

Hi @mogul, thanks for the feature request and PR. I brought this up for discussion with the team and it is something we are looking into further. We will let you know when we have an update.

[mogul]

Very glad to hear it. Thank you! (I'm working around this for now by concatenating our proxy's root CA cert onto the end of the cacerts.pem that comes with the CLI, but my users shouldn't have to do that.)

…

On Fri, Jan 21, 2022 at 3:56 PM Tim Finnigan ***@***.***> wrote: Hi @mogul <https://github.com/mogul>, thanks for the feature request and PR. I brought this up for discussion with the team and it is something we are looking into further. We will let you know when we have an update. — Reply to this email directly, view it on GitHub <#9045>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAALVEWAIGYR2KLMFOAPG7DUXHXCPANCNFSM5MKHIWAQ> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[mogul]

Hi @tim-finnigan... Any updates on this one?

[tim-finnigan]

Thanks @mogul for the feature request, I left a comment on your PR. We can keep this issue open for tracking the request, and others can add a 👍 to indicate their support or leave a comment to provide additional feedback.

[tim-finnigan]

As mentioned previously on the PR this type of work would need to be coordinated across SDKs, so the broader teams would need to review and decide on this. I found a related backlog item on this topic: aws/aws-sdk#127, but I'm not sure if there's enough overlap in your requests to consider this a duplicate. But I'm going to transfer this issue to that repository as well since that is where cross-SDK feature requests are tracked. And we continue to encourage others to leave feedback on their use cases related to this or 👍 the issue. Thanks!