Menu
We are using a proxy + profile when using the aws s3 commands to browse our buckets in CLI.
export HTTPS_PROXY=https://ourproxyhost.com:3128
aws s3 ls s3://our_bucket/.../ --profile dev
And we can work with our buckets and objects fine.
Because I need to write Python code for this, I translated this using boto3:
# python 2.7.12
import boto3 # v1.5.18
from botocore.config import Config # v1.8.32
s3 = boto3.Session(profile_name='dev').resource('s3', config=Config(proxies={'https': 'ourproxyhost.com:3128'})).meta.client
obj = s3.get_object(Bucket='our_bucket', Key='dir1/dir2/.../file')
What I get is this:
botocore.vendored.requests.exceptions.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)
Why is this working in CLI, but not in Python?
419
Boto3 is the name of the Python SDK for AWS. It allows you to directly create, update, and delete AWS resources from your Python scripts.
boto3.amazonaws.com/v1/documentation/api/latest/guide/… Session objects are not thread safe and should not be shared across threads and processes. You should create a new Session object for each thread or process.
Boto3 under the hood Both, AWS CLI and boto3 are built on top of botocore — a low-level Python library that takes care of everything needed to send an API request to AWS and receive a response back.
1. Turn off SSL certification validation : s3 = boto3.client('s3', verify=False) As mentioned in this boto3 documentation, this option turns off validation of SSL certificates but SSL protocol will still be used (unless use_ssl is False) for communication.
Exceptions that you might encounter when using Boto3 will come from one of two sources: botocore or the AWS services your client is interacting with. These exceptions are statically defined within the botocore package, a dependency of Boto3. The exceptions are related to issues with client-side behaviors, configurations, or validations.
Also to go on top of what @jamesls said you can avoid the SSLErrors by trying to shorten the amount of results EC2 sends at a time by setting the PageSize parameter to a smaller size in the PaginationConfig parameter.
Using Boto3, the error response from an AWS service will look similar to a success response, except that an Error nested dictionary will appear with the ResponseMetadata nested dictionary. Here is an example of what an error response might look like:
botocore.vendored.requests.exceptions.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)
The error above in most cases it's usually related to the CA bundle being used for S3 connections.
Possible Resolution Steps:
1. Turn off SSL certification validation :
s3 = boto3.client('s3', verify=False)
As mentioned in this boto3 documentation, this option turns off validation of SSL certificates but SSL protocol will still be used (unless use_ssl is False) for communication.
2. Check if you have AWS_CA_BUNDLE env var set?:
echo $AWS_CA_BUNDLE
or
export | grep AWS_CA_BUNDLE
3. Check if you have certifi installed in your python env?:
pip list | grep certifi
Depending on the output of the above command, you could be using a version of certifi (which is not a dependency of boto3) that has a broken certificate validation when communicating with s3 endpoints.
You will need to upgrade your OpenSSL version or pin certifi to a stable version as shown below :
sudo pip uninstall certifi
sudo pip install certifi==2015.04.28
Hope this helps!
164
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
