How to set a custom CA bundle in AWS CLI
Private certificate authorities, TLS-inspecting proxies, and internal HTTPS endpoints can make AWS CLI fail certificate validation even when the profile, Region, and service command are otherwise correct. Saving a custom CA bundle keeps TLS verification enabled while letting the CLI trust the certificate chain presented by the target endpoint.
The saved setting is ca_bundle in the shared AWS CLI config file. By default that file is ~/.aws/config on Linux and macOS and the matching shared config file under the current user profile on Windows, but AWS_CONFIG_FILE can redirect the CLI to another path. aws configure set writes the bundle path into the selected profile, creates the config file if needed, and does not make an AWS API call.
The AWS_CA_BUNDLE environment variable overrides the saved setting for the current shell, and the global --ca-bundle option overrides both for one command. aws configure get reads the stored config value only, so it does not show a shell-level override. The bundle file should be a readable PEM file that contains the root and intermediate certificates the endpoint needs, and --no-verify-ssl should stay limited to short troubleshooting because it disables certificate checks instead of fixing trust.
Related: use a custom endpoint in AWS CLI
Related: use environment variables in AWS CLI
Steps to set a custom CA bundle in AWS CLI:
- Save the custom CA bundle on the default profile.
$ aws configure set ca_bundle /etc/ssl/certs/company-root-ca.pem --profile default
--profile default writes to [default] even when AWS_PROFILE is set in the current shell.
- Read the saved default profile value back from the config file.
$ aws configure get ca_bundle --profile default /etc/ssl/certs/company-root-ca.pem
aws configure get confirms the persistent file-backed value and does not show an AWS_CA_BUNDLE override from the current shell.
- Save the same bundle on a named profile when only one account or environment should use the alternate trust chain.
$ aws configure set ca_bundle /etc/ssl/certs/company-root-ca.pem --profile engineering
This writes ca_bundle = /etc/ssl/certs/company-root-ca.pem under [profile engineering] and leaves [default] unchanged.
Related: How to configure multiple AWS CLI profiles - Read the named profile value back before testing a real request.
$ aws configure get ca_bundle --profile engineering /etc/ssl/certs/company-root-ca.pem
No output means that profile does not have a saved ca_bundle setting yet.
- Open the shared config file when the stored section and line need to be confirmed directly.
$ cat ~/.aws/config [default] ca_bundle = /etc/ssl/certs/company-root-ca.pem [profile engineering] ca_bundle = /etc/ssl/certs/company-root-ca.pem
If AWS_CONFIG_FILE is set, inspect that path instead of the default file location. On Windows, inspect the matching shared config file under the active user profile.
- Check whether the current shell is overriding the saved profile value.
$ printenv AWS_CA_BUNDLE /etc/ssl/certs/temporary-test-ca.pem
If this prints a path, the environment variable wins until it is unset or the shell exits. No output means the shell will use the saved ca_bundle value instead.
- Override the saved bundle for one command when testing a different certificate chain without changing the profile.
$ aws sts get-caller-identity --profile engineering --ca-bundle /tmp/test-root-ca.pem
The global --ca-bundle option overrides both the saved profile value and AWS_CA_BUNDLE for that one request.
- Run the AWS CLI command that previously failed and confirm it returns the normal service response instead of a certificate verification error.
$ aws sts get-caller-identity --profile engineering
Success is normal service output instead of SSL: CERTIFICATE_VERIFY_FAILED, x509: certificate signed by unknown authority, or a similar trust error.
Related: How to check the current caller identity in AWS CLI