Problem

If I create a certificate which is not signed by a CA which is embedded in the CA certificate store which ships with the AWS SDK, HTTPS requests to the AWS_CONTAINER_CREDENTIALS_FULL_URI endpoint will fail SSL verification because the certificate is not trusted- even if I specify the CA in AWS_CA_BUNDLE for the aws-cli or manually in the Go v2 SDK via WithCustomCABundle().

Expected behavior

CA's which are passed in to the AWS SDK configuration should be used to validate HTTPS requests to the endpoint defined by the AWS_CONTAINER_CREDENTIALS_FULL_URI variable.

Additional Details

I've tried this with both the aws-cli(Boto3 SDK) via AWS_CA_BUNDLE environment variable as well as the Go v2 SDK and neither works. The aws-cli will also fail to validate the certificate even when using the --no-verify-ssl and/or --ca-bundle flags.

Why this is necessary

I am the developer of aws-sso-cli a tool for secure management of IAM role credentials that are issued via AWS Identity Center. I would like to make these user role credentials available by a variety of methods/use cases and emulating the AWS ECS Server credential endpoint is part of that. For security, using SSL/TLS is obviously important, but it is not possible to get a public CA like Let's Encrypt or DigiCert to sign a certificate for localhost. Hence the need for the AWS SDK to be able to trust an additional, user managed CA.

Additional information: boto/boto3#4188