Allow https container-credentials endpoints (#9988)

hssyoo · web-flow · commit 8b1b16e47fdb · 2026-01-16T11:32:02.000-05:00
diff --git a/.changes/next-release/enhancement-ContainerProvider-3097.json b/.changes/next-release/enhancement-ContainerProvider-3097.json
@@ -0,0 +1,5 @@
+{
+  "type": "enhancement",
+  "category": "ContainerProvider",
+  "description": "The ContainerProvider now works with arbitray HTTPS URLs for `AWS_CONTAINER_CREDENTIALS_FULL_URI`."
+}
diff --git a/awscli/botocore/utils.py b/awscli/botocore/utils.py
@@ -2919,6 +2919,9 @@ def retrieve_full_uri(self, full_url, headers=None):
 
     def _validate_allowed_url(self, full_url):
         parsed = botocore.compat.urlparse(full_url)
+
+        if parsed.scheme == 'https':
+            return
         if self._is_loopback_address(parsed.hostname):
             return
         is_whitelisted_host = self._check_if_whitelisted_host(parsed.hostname)
@@ -4181,7 +4184,9 @@ def build_dpop_header(private_key, uri, uid=None, ts=None):
     )
     signing_input = f"{header_b64}.{payload_b64}".encode()
     signature = private_key.sign(hashlib.sha256(signing_input).digest())
-    signature_bytes = EC.decode_der_signature_to_padded_pair(signature, pad_to=32)
+    signature_bytes = EC.decode_der_signature_to_padded_pair(
+        signature, pad_to=32
+    )
     signature_b64 = base64_url_encode_no_padding(signature_bytes)
 
     return f"{header_b64}.{payload_b64}.{signature_b64}"
diff --git a/tests/unit/botocore/test_utils.py b/tests/unit/botocore/test_utils.py
@@ -2719,17 +2719,17 @@ def test_can_use_loopback_v6_uri(self):
     def test_link_local_http_is_not_allowed(self):
         self.assert_host_is_not_allowed('http://169.254.0.1/foo')
 
-    def test_link_local_https_is_not_allowed(self):
-        self.assert_host_is_not_allowed('https://169.254.0.1/foo')
+    def test_can_use_link_local_https(self):
+        self.assert_can_retrieve_metadata_from('https://169.254.0.1/foo')
 
     def test_non_link_local_nonallowed_url(self):
         self.assert_host_is_not_allowed('http://169.1.2.3/foo')
 
     def test_error_raised_on_nonallowed_url(self):
         self.assert_host_is_not_allowed('http://somewhere.com/foo')
 
-    def test_external_host_not_allowed_if_https(self):
-        self.assert_host_is_not_allowed('https://somewhere.com/foo')
+    def test_can_use_external_host_if_https(self):
+        self.assert_can_retrieve_metadata_from('https://somewhere.com/foo')
 
 
 class TestUnsigned(unittest.TestCase):
