If it is as simple as a permission issue, check out placing the CA pem file to anything considerably less restrictive like so: When you've got proxy additional to the ec2 devices and it can be in non-public subnet that has a S3 vpc-endpoint hooked up. I had been obtaining the similar mistake.