Session Manager Plugin does not honor AWS_CA_BUNDLE / --ca-bundle

[kjamieson-sdm]

Unlike other AWS CLI commands, aws ssm start-session does not currently honor the AWS_CA_BUNDLE environment variable / --ca-bundle CLI option to override the CA certificate bundle used to verify SSL certificates. session-manager-plugin appears to always use the default system root CA certificate bundle regardless of these parameters.

[mam8270]

i'm running into this as well, caused a bit of confusion since it isn't working like the rest of aws cli

(py39) bash-4.4$ cat errors.log 
2023-05-16 21:41:43 ERROR [OpenConnection @ websocketutil.go.63] Failed to dial websocket: x509: certificate signed by unknown authority
2023-05-16 21:41:43 ERROR [OpenDataChannel @ sessionhandler.go.49] Retrying connection for data channel id: botocore-session-1684273292-0b849af47232a9d46 failed with error: failed to open data channel with error: x509: certificate signed by unknown authority
2023-05-16 21:41:43 ERROR [OpenConnection @ websocketutil.go.63] Failed to dial websocket: x509: certificate signed by unknown authority
2023-05-16 21:41:44 ERROR [OpenConnection @ websocketutil.go.63] Failed to dial websocket: x509: certificate signed by unknown authority
2023-05-16 21:41:44 ERROR [OpenConnection @ websocketutil.go.63] Failed to dial websocket: x509: certificate signed by unknown authority
2023-05-16 21:41:45 ERROR [OpenConnection @ websocketutil.go.63] Failed to dial websocket: x509: certificate signed by unknown authority
2023-05-16 21:41:47 ERROR [OpenConnection @ websocketutil.go.63] Failed to dial websocket: x509: certificate signed by unknown authority
2023-05-16 21:41:50 ERROR [OpenConnection @ websocketutil.go.63] Failed to dial websocket: x509: certificate signed by unknown authority

[parolfe]

The ssm command also does not respect the ca_bundle setting in ~/.aws/config. In our experience the only way to use a different set of CA certificates was to modify, eg, /usr/local/aws-cli/v2/2.15.13/dist/awscli/botocore/cacert.pem.