refactor: replace from awsiot-credentialhelper[security]#135
Merged
Conversation
Contributor
Coverage Report
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
airkei
changed the title
airkei
commented
Feb 12, 2026
| # ------ credential fetching ------ # | ||
| # | ||
| # AWS IoT Core Credential Provider API: | ||
| # https://docs.aws.amazon.com/iot/latest/developerguide/authorizing-direct-aws.html |
Contributor
Author
There was a problem hiding this comment.
This sequence follows the official spec.
Making an HTTPS request to the credentials provider to get a security token.
airkei
commented
Feb 12, 2026
Comment on lines
+143
to
+168
| def _build_tls_context_from_path( | ||
| cert_path: str, | ||
| key_path: str, | ||
| ) -> TlsContextOptions: | ||
| """Build TLS context options using plain certificate/key files.""" | ||
| return TlsContextOptions.create_client_with_mtls_from_path( | ||
| cert_filepath=cert_path, | ||
| pk_filepath=key_path, | ||
| ) | ||
|
|
||
|
|
||
| def _build_tls_context_pkcs11( | ||
| cert_pem: bytes, | ||
| pkcs11_cfg: PKCS11Config, | ||
| private_key_label: Optional[str] = None, | ||
| ) -> TlsContextOptions: | ||
| """Build TLS context options using PKCS#11 for private key operations.""" | ||
| return TlsContextOptions.create_client_with_mtls_pkcs11( | ||
| pkcs11_lib=Pkcs11Lib(file=pkcs11_cfg.pkcs11_lib), | ||
| user_pin=pkcs11_cfg.user_pin, | ||
| slot_id=int(pkcs11_cfg.slot_id), | ||
| token_label=None, # type: ignore[arg-type] | ||
| private_key_label=private_key_label, # type: ignore[arg-type] | ||
| cert_file_path=None, # type: ignore[arg-type] | ||
| cert_file_contents=cert_pem, | ||
| ) |
Contributor
Author
There was a problem hiding this comment.
The differences between File and PKCS#11 are limited to two functions. suggest simply separating the functions rather than introducing an abstract base class.
airkei
commented
Feb 12, 2026
| credential_url: str, | ||
| ) -> Dict[str, Any]: | ||
| """Parse credential provider response, raising on non-200 status.""" | ||
| if response_status != HTTPStatus.OK: |
Contributor
Author
There was a problem hiding this comment.
This condition(only 200) follows the original implementation in awsiot-credentialhelper.
airkei
commented
Feb 12, 2026
Comment on lines
+158
to
+161
| "access_key": "AKIAIOSFODNN7EXAMPLE", | ||
| "secret_key": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY", | ||
| "token": "FwoGZXIvYXdzEBY...", | ||
| "expiry_time": "2099-01-01T00:00:00Z", |
Contributor
Author
There was a problem hiding this comment.
These test keys are used in official document as references, no security risk.
https://docs.aws.amazon.com/sdkref/latest/guide/feature-static-credentials.html
airkei
commented
Feb 12, 2026
| ] | ||
| dependencies = [ | ||
| "aiohttp>=3.10.11,<3.14", | ||
| "awsiot-credentialhelper>=0.6,<1.1", |
airkei
commented
Feb 12, 2026
| dependencies = [ | ||
| "aiohttp>=3.10.11,<3.14", | ||
| "awsiot-credentialhelper>=0.6,<1.1", | ||
| "awscrt>=0.16.9,<0.32", |
airkei
commented
Feb 12, 2026
| # botocore | ||
| urllib3==1.26.20 ; python_full_version < '3.10' | ||
| # via botocore | ||
| urllib3==2.6.3 ; python_full_version >= '3.10' |
Contributor
Author
There was a problem hiding this comment.
this version resolves the vulnerability.
airkei
force-pushed
the
feat/replace-from-awsiot-credentialhelper
branch
from
9c092cc to
084547d
Compare
|
Bodong-Yang
approved these changes
Feb 13, 2026
Member
Bodong-Yang
left a comment
Bodong-Yang
left a comment
There was a problem hiding this comment.
Thank you for the PR, LGTM!
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
https://tier4.atlassian.net/browse/T4DEV-45348
https://tier4.atlassian.net/browse/T4DEV-45347
https://tier4.atlassian.net/browse/T4DEV-45345
awsiot_credentialhelperrepository was archived without addressing this issuehttps://github.com/awslabs/aws-iot-core-credential-provider-session-helper
What
Implement functionality equivalent to
awsiot_credentialhelperbased on https://docs.aws.amazon.com/iot/latest/developerguide/authorizing-direct-aws.htmlawsiot_credentialhelperdependencyawscrtfor HTTPS communication for both file and TPM(PKCS#11).Tests
On the VM, verified that the otaclient logs were successfully sent to CloudWatch in both the file-based and TPM (PKCS#11) cases.