You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
However, the default value in boto3 client is actually verify=None . And there's actually difference regarding how boto3 interprets these values. Based on my experiment, the boto3.client verify param values are:
verify=None: (Default) will do ssl verify, using default CA bundle, or the one from AWS_CA_BUNDLE environment variable if specified.
verify=True : will do ssl verify, using default CA bundle, ignoring AWS_CA_BUNDLE env var.
verify=False: will not do ssl verify.
verify=/path/to/ca_bundle: will do ssl verify, using the path in this param, ignoring AWS_CA_BUNDLE env var.
With the current implementation in crhelper, if I want to use the CA bundle from the AWS_CA_BUNDLE env var, I have to explicitly call `CfnResource(ssl_verify=None) which is awkward. That's why I suggest crhelper to change the default value of ssl_verify to None to match the boto3 default value. Thanks!
The text was updated successfully, but these errors were encountered:
Hi,
I noticed that in 2.0.8 version, CfnResource() uses
ssl_verify=Trueas the default value and feed it into boto3.client(verify=ssl_verify) :https://github.com/aws-cloudformation/custom-resource-helper/blob/main/crhelper/resource_helper.py#L30
However, the default value in boto3 client is actually
verify=None. And there's actually difference regarding how boto3 interprets these values. Based on my experiment, the boto3.clientverifyparam values are:verify=None: (Default) will do ssl verify, using default CA bundle, or the one fromAWS_CA_BUNDLEenvironment variable if specified.verify=True: will do ssl verify, using default CA bundle, ignoringAWS_CA_BUNDLEenv var.verify=False: will not do ssl verify.verify=/path/to/ca_bundle: will do ssl verify, using the path in this param, ignoringAWS_CA_BUNDLEenv var.With the current implementation in crhelper, if I want to use the CA bundle from the
AWS_CA_BUNDLEenv var, I have to explicitly call `CfnResource(ssl_verify=None) which is awkward. That's why I suggest crhelper to change the default value of ssl_verify to None to match the boto3 default value. Thanks!The text was updated successfully, but these errors were encountered: