Support custom SSL certificate bundles

[ntw-au]

Describe the feature you'd like
Support custom SSL verification control in SageMaker Python SDK.

Boto3 supports the verify parameter when creating a client, which allows either disabling SSL verification or setting a custom certificate bundle. Alternatively, a custom certificate bundle can be set through the config file or by the AWS_CA_BUNDLE environment variable.

However, these are not exposed or respected by the SageMaker Python SDK. This prevents SageMaker code from being used behind some corporate firewalls.

The lack of this feature has been noted in #3656

How would this feature be used? Please describe.
Corporate firewalls may re-encrypt an SSL connection with their own certificate. Unless this certificate is configured as a root certificate, SSL verification fails. This change will allow use of the SageMaker Python SDK behind such MITM-based firewalls.

Describe alternatives you've considered
N/A

Additional context
The specific error raised by SageMaker:

SSLError: SSL validation failed for https://sts.us-west-2.amazonaws.com/ [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1147)

[benieric]

Hi @ntw-au, thanks for posting this, i agree PySDK should have some better way to allow user to set such configurations for clients, but was wondering if you had tried using the ~/.aws/config for such configs if Env Var is not working?

https://boto3.amazonaws.com/v1/documentation/api/latest/guide/configuration.html#using-a-configuration-file

[ntw-au]

Thanks @benieric, I have tried the config file but haven't had any success. I've tried different variants of escaping, slash direction (noting that I'm on Windows) and quoting, but it never seems to use the setting.

[default]
ca_bundle = C:\Path\To\Certificate\Bundle.pem