Setting a number of additional security settings

[asylvest]

I've got an environment working properly with boto 2.38 where all the following settings are required (obviously I could have done the stuff in the ~/.boto file each time programmatically instead):

~/.boto file that contains...

ca_certificates_file = /path/to/cert.pem
endpoints_path = /path/to/endpoints.json

[ec2]
use-sigv4 = true

[s3]
use-sigv4 = true

Then when I connect, I need a security token, so I do...

boto.ec2.connect_to_region('regionName', security_token='*')

I'm trying to figure out how to do the equivalent with the C++ SDK. Tackling these one at a time...

1. ca_certificates_file: I may be just searching on the wrong stuff, but the only reference to CA certificates I can find is in the rds module. Is this supported in the C++ SDK currently for sqs, ec2, and s3?
2. endpoints_path: Looking at EC2Client::init(), I see that it calls EC2Endpoint::ForRegion() unless config.endpointOverride is populated. While the readme says not to alter the endpoint, it appears that just setting this string with what's in my endpoints.json for this service would do what I want (I do need to override the endpoint). Any reason this wouldn't work?
3. use-sigv4: This sets Signature Version 4 signing. In AWSAuthSigner, I see an AWSAuthV4Signer class. The EC2Client constructors appear to be using this... will I get Signature Version 4 signing by default then or is there anything else I need to do to enable this?
4. security_token: Rather than using the default credentials provider chain, it looks like I could construct AWSCredentials myself and pass this in right?
5. Is there an equivalent of a ~/.boto file for the C++ SDK to set some of these things? If not, doing this programmatically is no big deal.

Thanks for the help!

[prestomation]

Hi asylvest

1. We just defer to the TLS implementation on your system and don't currently support this override.
   Which platform are you on?
   We have an override used for the android tests for curl https://github.com/awslabs/aws-sdk-cpp/blob/b46c1f4c185ce64c4c6d2e85bfd04ca8c346c3af/aws-cpp-sdk-core/source/http/curl/CurlHttpClient.cpp#L174.

2.Yes, just set the endpointOverride.
3. aws-sdk-cpp ONLY supports sigv4. All new AWS services only support sigv4 and ALL AWS services support sigv4 in all regions so we have no reason to support older signing methods.

1. Yes, this is exactly the same as the other SDKS.
2. No, we currently have no dotfile overrides like boto. The only functionality like this we support is configuring credential profiles in the ~/.aws/credentials file.

In regards to 1, feel free to open an issue if this is a feature you require.

[asylvest]

Preston,

Thanks for all the info. I am on Linux (some chance I will care about Windows eventually but Linux is what matters for the medium term) and using libcurl with the SDK. I'm not very familiar with libcurl or CA certs in general but based on the override you pointed me to and a little Googling, are you saying I can do curl_easy_setopt(handle, CURLOPT_CAPATH, "/path/to/cert.pem") and curl will take care of this aspect? If so, the catch is that from what I see, m_curlHandleContainer is private in CurlHttpClient so I don't have any way to do this in my application code right (well, I guess I could hardcode it via TEST_CERT_PATH at SDK compile time)? No big deal - if you can verify that I'm following what you're saying, I'll recompile the SDK to use AWS_CA_BUNDLE to point to my cert, confirm I can get things working, and then put in a pull request. From what you're saying, sounds like this should be a one-liner (for the libcurl implementation at least).

[JonathanHenson]

You should get the ca stuff for free. Curl gives you bundle for free when
yoy install. You shouldn't need to override anything. Have you tried just
using the sdk and seeing what happens?
On Dec 7, 2015 8:07 PM, "Adam Sylvester" notifications@github.com wrote:

Preston,

Thanks for all the info. I am on Linux (some chance I will care about
Windows eventually but Linux is what matters for the medium term) and using
libcurl with the SDK. I'm not very familiar with libcurl or CA certs in
general but based on the override you pointed me to and a little Googling,
are you saying I can do curl_easy_setopt(handle, CURLOPT_CAPATH,
"/path/to/cert.pem") and curl will take care of this aspect? If so, the
catch is that from what I see, m_curlHandleContainer is private in
CurlHttpClient so I don't have any way to do this in my application code
right (well, I guess I could hardcode it via TEST_CERT_PATH at SDK
compile time)? No big deal - if you can verify that I'm following what
you're saying, I'll recompile the SDK to use AWS_CA_BUNDLE to point to my
cert, confirm I can get things working, and then put in a pull request.
From what you're saying, sounds like this should be a one-liner (for th e
libcurl implementation at least).

—
Reply to this email directly or view it on GitHub
#56 (comment).

[prestomation]

Yes you are correctly following what I'm saying, but lets make sure this is the correct thing for you to do.

We did not make this easy because you should not NEED to override the certs. Why do you need to override the cert bundle?

[asylvest]

After doing a lot of diagnosing and starting to write a very long detailed post here, I realized I was actually doing something else incorrectly here and that was the source of my connection problem. I am not quite sure how/where curl is picking my certs up from (I don't see them in the location where curl appears to be looking), but at this point I have a hello world application that can successfully query SQS, so I will remain blissfully ignorant of curl specifics and be happy at the end result. I assume the other AWS services will work very similarly but will post any follow-up issues/questions I run into.

Thanks for the help (and for putting the C++ SDK together!).