Overview
Some self-managed environments reach their S3-compatible object storage through TLS that is not signed by a public certificate authority — for example:- An S3-compatible endpoint (MinIO, ECS, StorageGRID, etc.) serving a certificate issued by a private or corporate CA
- A TLS-inspecting egress proxy that re-signs traffic to AWS S3 with a corporate CA
AWS_CA_BUNDLE environment variable.
Requires LILT release 6.1 or later. Earlier releases ignore
AWS_CA_BUNDLE on the neural S3 client.Why not SSL_ENABLED?
The SSL_ENABLED switch exists, but it is a shared switch: enabling it also forces application-level TLS on the Redis and RabbitMQ connections. On deployments where the service mesh already secures pod-to-pod traffic (Istio ambient mode), that breaks Redis and RabbitMQ connectivity. AWS_CA_BUNDLE scopes the custom CA to S3 only and leaves everything else untouched.
Configuration
Neural services deploy via the sharedlilt-application chart, so the wiring is a plain environment variable plus a volume mount on each neural service block in lilt/values.yaml:
env / volumes / volumeMounts block for every neural service that talks to S3 (translatev4, updatev4, update-managerv4, langid, routing, batchv4, batch-worker-gpuv4, batch-worker-cpu-3pmt, automqm, alignment, tag-projection, nncache, and the vLLM/Whisper inference services), then run the installer as usual.
Requirements and behavior
- The file must be a complete CA bundle. A path in
AWS_CA_BUNDLEreplaces the AWS SDK’s default trust store rather than extending it. Concatenate the public root CAs your endpoint chain needs (for AWS S3, the public AWS roots) together with your private CA into one PEM file. - Use a CA certificate, not a client certificate. Pointing
AWS_CA_BUNDLEat a client cert such astls.crtproduces a trust store that can verify nothing. - Plain-HTTP endpoints ignore it. If your S3 endpoint URL is
http://(the default in-cluster MinIO wiring), there is no TLS handshake andAWS_CA_BUNDLEhas no effect. It only matters forhttps://endpoints. - Leave it unset on EKS. EKS deployments reach AWS S3 directly, and those certificates verify against the default trust store. Setting
AWS_CA_BUNDLEthere would only narrow trust. SSL_ENABLEDtakes precedence. IfSSL_ENABLED=truewithVERIFY_IDENTITYis configured, the neural services use/certs/client/ca.crtfrom that configuration andAWS_CA_BUNDLEis not consulted.
Related pages
- Using S3 instead of MinIO — switching object storage backends
- Set Custom Domain And Certificates — TLS certificates for LILT’s own ingress (a separate concern from S3 egress trust)

