One way or another you must tell boto3 in which region you wish the kms client to be created. This could be done explicitly using the region_name parameter as in:

kms = boto3.client('kms', region_name='us-west-2')

or you can have a default region associated with your profile in your ~/.aws/config file as in:

[default]
region=us-west-2

or you can use an environment variable as in:

export AWS_DEFAULT_REGION=us-west-2

but you do need to tell boto3 which region to use.

I found a solution to this when trying to mock a different method for the S3 client

import botocore
from mock import patch
import boto3

orig = botocore.client.BaseClient._make_api_call

def mock_make_api_call(self, operation_name, kwarg):
    if operation_name == 'DescribeTags':
        # Your Operation here!
        print(kwarg)
    return orig(self, operation_name, kwarg)

with patch('botocore.client.BaseClient._make_api_call', new=mock_make_api_call):
    client = boto3.client('ec2')
    # Calling describe tags will perform your mocked operation e.g. print args
    e = client.describe_tags()

Hope it helps :)

This was fixed in boto3 1.14.

So given you have a profile like this in your ~/.aws/config:

[profile sso_profile]
sso_start_url = <sso-url>
sso_region = <sso-region>
sso_account_id = <account-id>
sso_role_name = <role>
region = <default region>
output = <default output (json or text)>

And then login with $ aws sso login --profile sso_profile

You will be able to create a session:

import boto3
boto3.setup_default_session(profile_name='sso_profile')
client = boto3.client('<whatever service you want>')

As of at least version 1.5.79, botocore accepts a proxies argument in the botocore config.

e.g.

import boto3
from botocore.config import Config

boto3.resource('s3', config=Config(proxies={'https': 'foo.bar:3128'}))

boto3 resourcehttps://boto3.readthedocs.io/en/latest/reference/core/session.html#boto3.session.Session.resource

botocore confighttps://botocore.readthedocs.io/en/stable/reference/config.html#botocore.config.Config

[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate is because Python ssl library can't find certificates on your local machine to verify against.

One way to debug is to see if you have your ca_bundle set to something else:

python -c "from botocore.session import Session; print(Session().get_config_variable('ca_bundle'))"

If it doesn't print anything, then it uses default path. You can check default path by:

python -c "import ssl; print(ssl.get_default_verify_paths())"

If ca_bundle prints something, then it's set by AWS_CA_BUNDLE environment variable or by aws configure set default.ca_bundle <some path> in the past. Also check ~/.aws/config if you accidentally setting it there (config file location for Windows: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html).

Install Certificates.command is basically a Python script that you can run yourself https://gist.github.com/marschhuynh/31c9375fc34a3e20c2d3b9eb8131d8f3 . Save as install-cert.py and run it python install-cert.py