From b21a9339890e6c2a20c4dd638763de8755c7c665 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Krzysztof=20Skrz=C4=99tnicki?=
 <krzysztof.skrzetnicki@goteleport.com>
Date: Mon, 18 Sep 2023 11:12:03 +0200
Subject: [PATCH] Support AWS_CA_BUNDLE for S3Getter

---
 get_s3.go | 20 ++++++++++++++++++--
 1 file changed, 18 insertions(+), 2 deletions(-)

diff --git a/get_s3.go b/get_s3.go
index 94291947c..125fb6f3d 100644
--- a/get_s3.go
+++ b/get_s3.go
@@ -3,6 +3,7 @@ package getter
 import (
 	"context"
 	"fmt"
+	"io"
 	"net/url"
 	"os"
 	"path/filepath"
@@ -328,19 +329,34 @@ func (g *S3Getter) newS3Client(
 	region string, url *url.URL, creds *credentials.Credentials,
 ) (*s3.S3, error) {
 	var sess *session.Session
+	var err error
+
+	var customCABundle io.Reader
+	if bundlePath := os.Getenv("AWS_CA_BUNDLE"); bundlePath != "" {
+		customCABundle, err = os.Open(bundlePath)
+		if err != nil {
+			return nil, err
+		}
+	}
 
 	if profile := url.Query().Get("aws_profile"); profile != "" {
-		var err error
 		sess, err = session.NewSessionWithOptions(session.Options{
 			Profile:           profile,
 			SharedConfigState: session.SharedConfigEnable,
+			CustomCABundle:    customCABundle,
 		})
 		if err != nil {
 			return nil, err
 		}
 	} else {
 		config := g.getAWSConfig(region, url, creds)
-		sess = session.New(config)
+		sess, err = session.NewSessionWithOptions(session.Options{
+			Config:         *config,
+			CustomCABundle: customCABundle,
+		})
+		if err != nil {
+			return nil, err
+		}
 	}
 
 	return s3.New(sess), nil