You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I have a service which synchronizes two buckets using the CDK. The source bucket is hosted using Ceph S3 with a custom CA. Therefore I specify AWS_CA_BUNDLE when opening the bucket. The target bucket is hosted in GS, nothing special here. My service opens the bucket in Ceph S3 first and then in GS. When using the GS bucket the following error message is shown:
Error: failed to list bucket: blob (code=Unknown):
Get "https://storage.googleapis.com/storage/v1/b/testbucket/o?alt=json&delimiter=&endOffset=&maxResults=1000&pageToken=&prefix=&prettyPrint=false&projection=full&startOffset=&versions=false":
oauth2: cannot fetch token: Post "https://oauth2.googleapis.com/token":
x509: certificate signed by unknown authority
I think the root cause is, that both the AWS SDK and the Googleapis SDK use http.DefaultClient and/or http.DefaultTransport. The code loading the custom CA for AWS edits the http.DefaultTransport and all subsequent usages of those DefaultClient/-Transport will use the custom CA no matter if that is intended or not.
To Reproduce
Specify custom CA for AWS SDK using AWS_CA_BUNDLE
Open bucket connection to some bucket with s3://...
Open bucket connection to some bucket with gs://...
List GS bucket
Expected behavior
GS connection should not use custom CA.
Version
v0.25.0
The text was updated successfully, but these errors were encountered:
Describe the bug
I have a service which synchronizes two buckets using the CDK. The source bucket is hosted using Ceph S3 with a custom CA. Therefore I specify
AWS_CA_BUNDLE
when opening the bucket. The target bucket is hosted in GS, nothing special here. My service opens the bucket in Ceph S3 first and then in GS. When using the GS bucket the following error message is shown:I think the root cause is, that both the AWS SDK and the Googleapis SDK use
http.DefaultClient
and/orhttp.DefaultTransport
. The code loading the custom CA for AWS edits thehttp.DefaultTransport
and all subsequent usages of those DefaultClient/-Transport will use the custom CA no matter if that is intended or not.To Reproduce
AWS_CA_BUNDLE
s3://...
gs://...
Expected behavior
GS connection should not use custom CA.
Version
v0.25.0
The text was updated successfully, but these errors were encountered: