Deprecate Usage of `sslComonName` in Endpoint Creation
See original GitHub issueThe Problem
Currently when creating a service client, an sslCommonName
attribute may be used for endpoint construction in unique cases. The format of sslCommonName
is typically {region}.{service}.{dnsSuffix}
, as opposed to the more common {service}.{region}.{dnsSuffix}
. This usage originated from a time where Python versions (<2.7) didn’t supply an SSL module, requiring specific certificate formats.
Now that the library only support Python 3.7+, we’ll be deprecating the usage of sslCommonName
to standardize Boto3 with all other AWS SDKs. This will also resolve long running issues of services such as SQS and GuardDuty being incompatible with certain VPC endpoint configurations.
Required Actions
In the immediate term, we will start raising a deprecation warning when sslCommonName
is used. This is to alert customers of the upcoming change and provide time to make any required changes.
For most users, this will not require any changes. The URL will automatically update when the next minor version (1.29.0) is released, and clients will continue to operate the same. For any users with strict network rules, explicitly allow listing domains, you will need to add support for {service}.{region}.{dnsSuffix}
as demonstrated below:
Old Format: https://us-west-2.sqs.amazonaws.com New Format: https://sqs.us-west-2.amazonaws.com
Warning Mitigation Strategy
- If you wish to ensure that your application does not use
sslCommonName
now or test the impending deprecation, we have created a new environment variableBOTO_DISABLE_COMMONNAME
. Setting this totrue
will suppress the warning and convert to the newhostname
format. - If you are concerned about this change causing disruptions, you can pin your version of
botocore
to<1.29.0
until you are ready to migrate. - If you are only concerned about silencing the warning in your logs, use
warnings.filterwarnings
when instantiating a new service client.
import warnings
warnings.filterwarnings('ignore', category=FutureWarning, module='botocore.client')
Other Information
Endpoint Docs: https://docs.aws.amazon.com/general/latest/gr/rande.html Related Issues: https://github.com/boto/botocore/issues/2376, https://github.com/boto/boto3/issues/1900, https://github.com/boto/boto3/issues/3311, https://github.com/boto/botocore/issues/2683
Issue Analytics
- State:
- Created a year ago
- Reactions:9
- Comments:26 (12 by maintainers)
Top GitHub Comments
After conferring with the team,
BOTO_DISABLE_COMMNAME
will no longer be needed to suppress the deprecation warning for the NEXT minor version1.29.0
. That will be released in the near future. I’ve updated the issue accordingly.Resolving now that we’ve had botocore 1.29.x out for a couple weeks. Please feel free to let us know if you encounter any issues but the migration should be complete at this point.