SSL validation failed when I'm using aws cli on windows

Question

I just installed aws cli on my pc, and I want to run a terraform script to build an instance. Here is the error message: Error refreshing state: AccessDenied: Access Denied status code: 403, request id:

I think it's a problem with the SSL certificate because when I do an aws s3 ls s3://MyBucketName --no-verify-ssl

How can I import the certificate? I didn't see any documentation about how we can configure aws cli on windows.

Thanks, John.

Answer 1

I doubt whether it's a ssl cert. problem. Try running

aws s3 ls

If it gives the following error -

[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)

Then it's a ssl cert problem. Otherwise try these steps -

Delete the .terraform directory Place the access_key and secret_key under the backend block. like below given code

Run terraform init
  backend "s3" {
    bucket = "great-name-terraform-state-2"
    key    = "global/s3/terraform.tfstate"
    region = "eu-central-1"
    access_key = "<access-key>"
    secret_key = "<secret-key>"
  }
}

Should work.

In case it's an SLS cert problem, If you want to use SSL and not have to specify the --no-verify-ssl option, then you need to set the AWS_CA_BUNDLE environment variable. e.g from PowerShell:

setx AWS_CA_BUNDLE "C:\Users\UserX\Documents\RootCert.pem"

The PEM file is a saved copy of the root certificate for the AWS endpoint you are trying to connect to. To generate it, first export the certificate in DER format (For details on how to do this, see here. Then run the following command to convert to the PEM format:

openssl x509 -inform der -in "C:\Users\UserX\Documents\RootCert.der" -out RootCert.pem

If you are using Powershell and not bash, then you will need to first install openssl.

For a full list of environment variables supported by the AWS CLI, see here