sam local invoke not using ca_bundle

See original GitHub issue

Description:

In #917 I understand that #1143 is intended as a fix. However I am not able to local invoke lambdas that need to pass through my local certificate.

Steps to reproduce:

sam local invoke SSLERRORtestlambda --debug --profile default

My template:

AWSTemplateFormatVersion: “2010-09-09” Transform: “AWS::Serverless-2016-10-31”

Resources:
  SSLERRORtestlambda:
    Type: 'AWS::Serverless::Function'
    Properties:
      Handler: test.list_clusters
      Runtime: python3.7
      Timeout: 50
      Policies:
        Version: "2012-10-17"
        Statement:
          - Effect: "Allow"
            Action:
              - "elasticmapreduce:ListClusters"
            Resource: "*"

and test.py:

import boto3

def list_clusters(event, context):
    clusters = boto3.client('emr').list_clusters()
    print(clusters)

    return event

.aws/credentials:

[default]
region=eu-west-1
ca_bundle=/path_to_certificate/root_ca_certificate.crt

Observed result:

2021-03-05 11:28:46,237 | Telemetry endpoint configured to be https://aws-serverless-tools-telemetry.us-west-2.amazonaws.com/metrics
2021-03-05 11:28:46,238 | local invoke command is called
2021-03-05 11:28:46,241 | No Parameters detected in the template
2021-03-05 11:28:46,288 | 1 resources found in the stack 
2021-03-05 11:28:46,288 | No Parameters detected in the template
2021-03-05 11:28:46,313 | No Parameters detected in the template
2021-03-05 11:28:46,338 | Found Serverless function with name='SSLERRORtestlambda' and CodeUri='.'
2021-03-05 11:28:46,419 | Found one Lambda function with name 'SSLERRORtestlambda'
2021-03-05 11:28:46,419 | Invoking test.list_clusters (python3.7)
2021-03-05 11:28:46,419 | No environment variables found for function 'SSLERRORtestlambda'
2021-03-05 11:28:46,419 | Environment variables overrides data is standard format
2021-03-05 11:28:46,419 | Loading AWS credentials from session with profile 'default'
2021-03-05 11:28:46,434 | Resolving code path. Cwd=/Users/garciaja/test, CodeUri=.
2021-03-05 11:28:46,434 | Resolved absolute path to code is /Users/garciaja/test
2021-03-05 11:28:46,434 | Code /Users/garciaja/test is not a zip/jar file
2021-03-05 11:28:46,481 | Skip pulling image and use local one: amazon/aws-sam-cli-emulation-image-python3.7:rapid-1.18.1.

2021-03-05 11:28:46,481 | Mounting /Users/garciaja/test as /var/task:ro,delegated inside runtime container
2021-03-05 11:28:46,882 | Starting a timer for 50 seconds for function 'SSLERRORtestlambda'
START RequestId: 7d03e5c3-e091-4c12-9eab-dcb95f81454d Version: $LATEST
[ERROR] SSLError: SSL validation failed for https://eu-west-1.elasticmapreduce.amazonaws.com/ [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:109    raise SSLError(endpoint_url=request.url, error=e)81, in send_responset_exception
END RequestId: 7d03e5c3-e091-4c12-9eab-dcb95f81454d
REPORT RequestId: 7d03e5c3-e091-4c12-9eab-dcb95f81454d	Init Duration: 0.38 ms	Duration: 13348.20 ms	Billed Duration: 13400 ms	Memory Size: 128 MB	Max Memory Used: 128 MB	
2021-03-05 11:29:01,219 | Cleaning all decompressed code dirs
2021-03-05 11:29:01,220 | Sending Telemetry: {'metrics': [{'commandRun': {'requestId': 'deb702e2-0848-44c9-9a1a-d72f83249717', 'installationId': 'e0400e43-63bf-46e8-b442-9a9d208ad761', 'sessionId': '32f4beef-ba1d-40d3-9546-ad8081421279', 'executionEnvironment': 'CLI', 'pyversion': '3.7.10', 'samcliVersion': '1.18.1', 'awsProfileProvided': True, 'debugFlagProvided': True, 'region': '', 'commandName': 'sam local invoke', 'duration': 14987, 'exitReason': 'success', 'exitCode': 0}}]}
2021-03-05 11:29:01,944 | HTTPSConnectionPool(host='aws-serverless-tools-telemetry.us-west-2.amazonaws.com', port=443): Read timed out. (read timeout=0.1)
{"errorMessage": "SSL validation failed for https://eu-west-1.elasticmapreduce.amazonaws.com/ [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1091)", "errorType": "SSLError", "stackTrace": ["  File \"/var/task/test.py\", line 4, in list_clusters\n    clusters = boto3.client('emr').list_clusters()\n", "  File \"/var/runtime/botocore/client.py\", line 357, in _api_call\n    return self._make_api_call(operation_name, kwargs)\n", "  File \"/var/runtime/botocore/client.py\", line 663, in _make_api_call\n    operation_model, request_dict, request_context)\n", "  File \"/var/runtime/botocore/client.py\", line 682, in _make_request\n    return self._endpoint.make_request(operation_model, request_dict)\n", "  File \"/var/runtime/botocore/endpoint.py\", line 102, in make_request\n    return self._send_request(request_dict, operation_model)\n", "  File \"/var/runtime/botocore/endpoint.py\", line 137, in _send_request\n    success_response, exception):\n", "  File \"/var/runtime/botocore/endpoint.py\", line 256, in _needs_retry\n    caught_exception=caught_exception, request_dict=request_dict)\n", "  File \"/var/runtime/botocore/hooks.py\", line 356, in emit\n    return self._emitter.emit(aliased_event_name, **kwargs)\n", "  File \"/var/runtime/botocore/hooks.py\", line 228, in emit\n    return self._emit(event_name, kwargs)\n", "  File \"/var/runtime/botocore/hooks.py\", line 211, in _emit\n    response = handler(**kwargs)\n", "  File \"/var/runtime/botocore/retryhandler.py\", line 183, in __call__\n    if self._checker(attempts, response, caught_exception):\n", "  File \"/var/runtime/botocore/retryhandler.py\", line 251, in __call__\n    caught_exception)\n", "  File \"/var/runtime/botocore/retryhandler.py\", line 277, in _should_retry\n    return self._checker(attempt_number, response, caught_exception)\n", "  File \"/var/runtime/botocore/retryhandler.py\", line 317, in __call__\n    caught_exception)\n", "  File \"/var/runtime/botocore/retryhandler.py\", line 223, in __call__\n    attempt_number, caught_exception)\n", "  File \"/var/runtime/botocore/retryhandler.py\", line 359, in _check_caught_exception\n    raise caught_exception\n", "  File \"/var/runtime/botocore/endpoint.py\", line 200, in _do_get_response\n    http_response = self._send(request)\n", "  File \"/var/runtime/botocore/endpoint.py\", line 269, in _send\n    return self.http_session.send(request)\n", "  File \"/var/runtime/botocore/httpsession.py\", line 281, in send\n    raise SSLError(endpoint_url=request.url, error=e)\n"]}2021-03-05 11:29:01,944 | Telemetry endpoint configured to be https://aws-serverless-tools-telemetry.us-west-2.amazonaws.com/metrics
2021-03-05 11:29:01,945 | Sending Telemetry: {'metrics': [{'runtimeMetric': {'requestId': 'ced7002a-44cc-485f-b554-cf34024021f6', 'installationId': 'e0400e43-63bf-46e8-b442-9a9d208ad761', 'sessionId': '32f4beef-ba1d-40d3-9546-ad8081421279', 'executionEnvironment': 'CLI', 'pyversion': '3.7.10', 'samcliVersion': '1.18.1', 'runtimes': ['python3.7']}}]}
2021-03-05 11:29:03,670 | HTTPSConnectionPool(host='aws-serverless-tools-telemetry.us-west-2.amazonaws.com', port=443): Read timed out. (read timeout=0.1)

Expected result:

list of emr clusters

Additional environment details (Ex: Windows, Mac, Amazon Linux etc)

  1. OS: macOS 10.15.7 (19H2)
  2. sam --version: SAM CLI, version 1.18.1
  3. AWS region: eu-west-1

Issue Analytics

  • State:open
  • Created 3 years ago
  • Reactions:4
  • Comments:13 (5 by maintainers)

github_iconTop GitHub Comments

11reactions
driverptcommented, May 7, 2021

Again… We already have that work around in place, this works well if you have a couple of lambdas, if you have dozens, it’s annoying.

Why not just add the parameter to sam local invoke --ca-bundle?

Locally it’s a development environment, I should have control over the development environment.

In this case our corporate proxy requires us a custom CA since it uses SSL Certificate Pinning to secure the connections.

So we would like to please have the option of passing the custom CA Cert as a flag or use the one in local profile .aws/config

5reactions
driverptcommented, Feb 17, 2022

Any news on this one?

Read more comments on GitHub >

github_iconTop Results From Across the Web

SAM CLI and Certificate Authority Bundles - BOYERSNET
When running locally and interacting with the AWS APIs, we often see certificate errors. With the AWS Serverless Application Model (SAM) CLI ...
Read more >
Certificate issue on sam deploy - Stack Overflow
The solution for me is to get the root certificate used when making connections and to save it locally somewhere as a .PEM...
Read more >
sam local invoke - AWS Serverless Application Model
Invoke a local Lambda function using the sam local invoke command from the AWS SAM CLI. ... This option is not compatible with...
Read more >
Connecting to AWS DocumentDB from a Lambda function
By default, a newly created Amazon DocumentDB cluster only accepts secure connections using Transport Layer Security (TLS). Before you can ...
Read more >
AWS CLI: SSL Validation Failed - [SOLVED] - ShellHacks
But this is not secure and will cause the following warning: ... To use the AWS CLI with HTTPS certificate verification, it is...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found