blob/: Connecting to AWS with AWS_CA_BUNDLE and GS afterwards fails

[jastBytes]

Describe the bug

I have a service which synchronizes two buckets using the CDK. The source bucket is hosted using Ceph S3 with a custom CA. Therefore I specify AWS_CA_BUNDLE when opening the bucket. The target bucket is hosted in GS, nothing special here. My service opens the bucket in Ceph S3 first and then in GS. When using the GS bucket the following error message is shown:

Error: failed to list bucket: blob (code=Unknown):
Get "https://storage.googleapis.com/storage/v1/b/testbucket/o?alt=json&delimiter=&endOffset=&maxResults=1000&pageToken=&prefix=&prettyPrint=false&projection=full&startOffset=&versions=false":
oauth2: cannot fetch token: Post "https://oauth2.googleapis.com/token":
x509: certificate signed by unknown authority

I think the root cause is, that both the AWS SDK and the Googleapis SDK use http.DefaultClient and/or http.DefaultTransport. The code loading the custom CA for AWS edits the http.DefaultTransport and all subsequent usages of those DefaultClient/-Transport will use the custom CA no matter if that is intended or not.

To Reproduce

1. Specify custom CA for AWS SDK using AWS_CA_BUNDLE
2. Open bucket connection to some bucket with s3://...
3. Open bucket connection to some bucket with gs://...
4. List GS bucket

Expected behavior

GS connection should not use custom CA.

Version

v0.25.0

[jastBytes]

As a mitigation you can do the following between two OpenBucket calls:

// Clear defaults to take over custom CAs or other customized settings
http.DefaultClient = &http.Client{}
http.DefaultTransport = &http.Transport{}

[jastBytes]

I suspect this is basically a bug with the AWS SDK and not this CDK: aws/aws-sdk-go#4496

[vangent]

I suspect this is basically a bug with the AWS SDK and not this CDK: aws/aws-sdk-go#4496

Yep, thanks!