fix: use awshttp.BuildableClient in NewAWSSDKHTTPClient to prevent panic in air-gapped regions (#3672)

haouc · haouc · commit aee32c6b77e5 · 2026-05-05T21:42:24.000Z
In air-gapped regions, the AWS SDK's resolveCustomCABundle() needs to inject
custom CA certificates via WithTransportOptions on the HTTP client. Using a
plain *http.Client causes a panic because it cannot be type-asserted to
*awshttp.BuildableClient.

The New() function already correctly uses awshttp.NewBuildableClient(), but
NewAWSSDKHTTPClient() (used by awsutils.go, ec2metadatawrapper.go,
ec2wrapper.go, and imds.go) still returned *http.Client.

Replace &amp;http.Client{Timeout: ...} with awshttp.NewBuildableClient().WithTimeout(...)
to preserve the BuildableClient type while still setting the timeout.

Panic: unable to add custom RootCAs HTTPClient, has no WithTransportOptions, *http.Client
diff --git a/pkg/awsutils/awssession/session.go b/pkg/awsutils/awssession/session.go
@@ -16,7 +16,6 @@ package awssession
 import (
 	"context"
 	"fmt"
-	"net/http"
 	"os"
 	"strconv"
 	"time"
@@ -39,8 +38,10 @@ const (
 )
 
 // NewAWSSDKHTTPClient returns a new HTTP client with the configured AWS SDK timeout.
-func NewAWSSDKHTTPClient() *http.Client {
-	return &http.Client{Timeout: getHTTPTimeout()}
+// It returns *awshttp.BuildableClient (instead of *http.Client) so the SDK can
+// inject custom CA bundles via WithTransportOptions in air-gapped regions.
+func NewAWSSDKHTTPClient() *awshttp.BuildableClient {
+	return awshttp.NewBuildableClient().WithTimeout(getHTTPTimeout())
 }
 
 var (
@@ -62,7 +63,7 @@ func getHTTPTimeout() time.Duration {
 
 // New will return aws.Config to be used by Service Clients.
 func New(ctx context.Context) (aws.Config, error) {
-	httpClient := awshttp.NewBuildableClient().WithTimeout(getHTTPTimeout())
+	httpClient := NewAWSSDKHTTPClient()
 	optFns := []func(*config.LoadOptions) error{
 		config.WithHTTPClient(httpClient),
 		config.WithRetryMaxAttempts(maxRetries),
diff --git a/pkg/awsutils/awssession/session_test.go b/pkg/awsutils/awssession/session_test.go
@@ -55,11 +55,11 @@ func TestNew_SetsHTTPClientTimeout(t *testing.T) {
 func TestNewAWSSDKHTTPClient_SetsTimeout(t *testing.T) {
 	client := NewAWSSDKHTTPClient()
 	assert.NotNil(t, client)
-	assert.Equal(t, DefaultAWSSDKClientTimeout, client.Timeout)
+	assert.Equal(t, DefaultAWSSDKClientTimeout, client.GetTimeout())
 }
 
 func TestNewAWSSDKHTTPClient_RespectsEnv(t *testing.T) {
 	t.Setenv(httpTimeoutEnv, "20")
 	client := NewAWSSDKHTTPClient()
-	assert.Equal(t, 20*time.Second, client.Timeout)
+	assert.Equal(t, 20*time.Second, client.GetTimeout())
 }

Original file line number	Diff line number	Diff line change
`@@ -55,11 +55,11 @@ func TestNew_SetsHTTPClientTimeout(t *testing.T) {`
`55`	`55`	`func TestNewAWSSDKHTTPClient_SetsTimeout(t *testing.T) {`
`56`	`56`	`client := NewAWSSDKHTTPClient()`
`57`	`57`	`assert.NotNil(t, client)`
`58`		`- assert.Equal(t, DefaultAWSSDKClientTimeout, client.Timeout)`
	`58`	`+ assert.Equal(t, DefaultAWSSDKClientTimeout, client.GetTimeout())`
`59`	`59`	`}`
`60`	`60`
`61`	`61`	`func TestNewAWSSDKHTTPClient_RespectsEnv(t *testing.T) {`
`62`	`62`	`t.Setenv(httpTimeoutEnv, "20")`
`63`	`63`	`client := NewAWSSDKHTTPClient()`
`64`		`- assert.Equal(t, 20*time.Second, client.Timeout)`
	`64`	`+ assert.Equal(t, 20*time.Second, client.GetTimeout())`
`65`	`65`	`}`