Aws-cli: Adding --no-verify-ssl option as part of the config file

@pabloariasmora, can I ask why you want to disable SSL? When you do that, all of your traffic between your client and the AWS services is no longer encrypted - a significant security risk in this day and age. How would turning it off all the time benefit you? Thanks!

Thanks for the reply @bisdavid

The problem is that there is a issue in the current office that I work on with the Proxy, it overrides de SSL certificates from AWS with ones provided by it (and is going to take a while to fix it), so my sam-cli cannot connect to deploy my code, because the login depends on the aws-cli, and the general process shows a SSL certificate issue. Since I'm using IntelliJ as IDE with the AWS Toolkit plugin, I don't have access control directly the flow for the deploy, but I do have access to the config files, so having an option in the config to recreate the same input as the args will help me out for now.

PD: I know that is a general security risk, but I was mainly thinking that since the options is already supported as arg, why not as a input from a config file.

@pabloariasmora - Thanks for posting this issue. I'm marking it as a feature request and needs-discussion as this is not best practice. I think the security risk out weighs the benefits and this is something we may not want to implement.

this feature should not disable SSL but just skipping the cert check for self-signed certs kind of scenarios... say your employer has an inline proxy for decrypting ssl traffic for Intellectual Property egress checking.

I think this would be useful for things like working with localstack and self-signed certs, CI/CD environments, etc.

As for security concerns, I think they are superfluous. My argument is that we already trust ~/.aws/credentials to be secure, and thus we can trust that a user is more than aware when they have gone out of their way to set this on a profile.

IMHO, we should really be exposing more of these flags in the configuration file.

My company is using man-in-the-middle proxy that intercepts SSL connection. I would like to have this feature as well so that I did not have to keep typing --no-verify-ssl

Another option is to trust the cert that is provided by my company inside Internet Explorer and Google Chrome

I am in need to use Java client to interact with my local Minio S3 instance. In this scenario, it is very useful to have this feature.

Its been a while, any buzz on this, anybody?

@bisdavid ping

Hi, @jacobisaliveandwell , I'm no longer the CLI writer (I'm working on AWS Organizations and AWS Resource Groups now), but I see that @justnance marked it as a feature request, so someone on the engineering team will be triaging this and considering it for a future release (I have no insight to that process, sorry).

@bisdavid No problem. Thanks for the response and congrats on the new team.

@jacobisaliveandwell how do you solve this problem before new patch?

@mikezang there is no solution other than setting this in a config. someone has to submit a PR or hope someone on the team picks this up