aws · TwistedTwigleg · Feb 2, 2023 · Oct 19, 2022 · Oct 19, 2022 · Oct 19, 2022
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -24,6 +24,7 @@ env:
   CI_JOBS_ROLE: ${{ secrets.AWS_CI_JOBS_ROLE }}
   CI_FLEET_PROVISIONING_ROLE: ${{ secrets.AWS_CI_FLEET_PROVISIONING_ROLE }}
   CI_DEVICE_ADVISOR: ${{ secrets.AWS_CI_DEVICE_ADVISOR_ROLE }}
+  CI_X509_ROLE: ${{ secrets.AWS_CI_X509_ROLE }}
 
 jobs:
   linux-compat:
@@ -301,3 +302,11 @@ jobs:
           Sample_UUID=$(python3  -c "import uuid; print (uuid.uuid4())")
           python3 ./utils/run_sample_ci.py --language Java --sample_file 'samples/Identity' --sample_region ${{ env.AWS_DEFAULT_REGION }} --sample_secret_endpoint 'ci/endpoint' --sample_secret_certificate 'ci/FleetProvisioning/cert' --sample_secret_private_key 'ci/FleetProvisioning/key' --sample_arguments "--template_name CI_FleetProvisioning_Template --template_parameters '{SerialNumber:${Sample_UUID}}'" --sample_main_class 'identity.FleetProvisioningSample'
           python3 utils/delete_iot_thing_ci.py --thing_name "Fleet_Thing_${Sample_UUID}" --region "us-east-1"
+      - name: configure AWS credentials (X509)
+        uses: aws-actions/configure-aws-credentials@v1
+        with:
+          role-to-assume: ${{ env.CI_X509_ROLE }}
+          aws-region: ${{ env.AWS_DEFAULT_REGION }}
+      - name: run X509 sample
+        run: |
+          python3 ./utils/run_sample_ci.py --language Java --sample_file 'samples/X509CredentialsProviderConnect' --sample_region ${{ env.AWS_DEFAULT_REGION }} --sample_secret_endpoint 'ci/endpoint' --sample_secret_certificate_x509 'ci/PubSub/cert' --sample_secret_private_key_x509 'ci/PubSub/key' --sample_secret_ca_x509 'ci/PubSub/ca' --sample_secret_endpoint_x509 'ci/X509/endpoint_credentials' --sample_secret_alias_x509 'ci/X509/alias' --sample_arguments '--signing_region us-east-1 --x509_thing_name CI_PubSub_Thing' --sample_main_class 'x509credentialsproviderconnect.X509CredentialsProviderConnect'
diff --git a/samples/README.md b/samples/README.md
@@ -6,6 +6,7 @@
 * [Pkcs11 Connect](#pkcs11-connect)
 * [Raw Connect](#raw-connect)
 * [WindowsCert Connect](#windowscert-connect)
+* [X509 Connect](#x509-credentials-provider-connect)
 * [CustomAuthorizer Connect](#custom-authorizer-connect)
 * [CustomKeyOperationPubSub](#custom-key-operations-pubsub)
 * [Shadow](#shadow)
@@ -369,6 +370,54 @@ Your Thing's [Policy](https://docs.aws.amazon.com/iot/latest/developerguide/iot-
 </pre>
 </details>
 
+## x509 Credentials Provider Connect
+
+This sample is similar to the [Basic Pub-Sub](#basic-pub-sub), but the connection uses a X.509 certificate
+to source the AWS credentials when connecting.
+
+See the [Authorizing direct calls to AWS services using AWS IoT Core credential provider](https://docs.aws.amazon.com/iot/latest/developerguide/authorizing-direct-aws.html) page for instructions on how to setup the IAM roles, the trust policy for the IAM roles, how to setup the IoT Core Role alias, and how to get the credential provider endpoint for your AWS account.
+
+source: `samples/X509CredentialsProviderConnect`
+
+To run the x509 Credentials Provider Connect sample use the following command:
+
+``` sh
+mvn compile exec:java -pl samples/X509CredentialsProviderConnect "-Dexec.mainClass=x509credentialsproviderconnect.X509CredentialsProviderConnect" -Dexec.args=' --endpoint <endpoint> --ca_file <path to root CA> --signing_region <signing region> --x509_ca_file <path to x509 CA> --x509_cert <path to x509 cert> --x509_endpoint <x509 credentials endpoint> --x509_key <path to x509 key> --x509_role_alias <alias> -x509_thing_name <thing name>'
+```
+
+To run the sample using the latest SDK release:
+
+``` sh
+mvn -P latest-release compile exec:java -pl samples/X509CredentialsProviderConnect "-Dexec.mainClass=x509credentialsproviderconnect.X509CredentialsProviderConnect" -Dexec.args=' --endpoint <endpoint> --ca_file <path to root CA> --signing_region <signing region> --x509_ca_file <path to x509 CA> --x509_cert <path to x509 cert> --x509_endpoint <x509 credentials endpoint> --x509_key <path to x509 key> --x509_role_alias <alias> -x509_thing_name <thing name>'
+```
+
+Your Thing's [Policy](https://docs.aws.amazon.com/iot/latest/developerguide/iot-policies.html) must provide privileges for this sample to connect. Make sure your policy allows a client ID of `test-*` to connect or use `--client_id <client ID here>` to send the client ID your policy supports.
+
+<details>
+<summary>(see sample policy)</summary>
+<pre>
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "iot:Connect"
+      ],
+      "Resource": [
+        "arn:aws:iot:<b>region</b>:<b>account</b>:client/test-*"
+      ]
+    },
+    {
+      "Effect":"Allow",
+      "Action":"iot:AssumeRoleWithCertificate",
+      "Resource":"arn:aws:iot:<b>region</b>:<b>account</b>:rolealias/<b>role-alias</b>"
+    }
+  ]
+}
+</pre>
+</details>
+
 ## Custom Authorizer Connect
 
 This sample makes an MQTT connection and connects through a [Custom Authorizer](https://docs.aws.amazon.com/iot/latest/developerguide/custom-authentication.html). On startup, the device connects to the server and then disconnects. This sample is for reference on connecting using a custom authorizer.

diff --git a/samples/Utils/CommandLineUtils/utils/commandlineutils/CommandLineUtils.java b/samples/Utils/CommandLineUtils/utils/commandlineutils/CommandLineUtils.java
@@ -135,7 +135,7 @@ public void addCommonX509Commands()
     {
         registerCommand(
             m_cmd_x509_role, "<str>", "Role alias to use with the x509 credentials provider (required for x509)");
-        registerCommand(m_cmd_x509_endpoint, "<str>", "Endpoint to fetch x509 credentials from (required for x509)");
+        registerCommand(m_cmd_x509_endpoint, "<str>", "The credentials endpoint to fetch x509 credentials from (required for x509)");
         registerCommand(
             m_cmd_x509_thing_name, "<str>", "Thing name to fetch x509 credentials on behalf of (required for x509)");
         registerCommand(
@@ -167,7 +167,7 @@ public MqttClientConnection buildCustomKeyOperationConnection(
             buildConnectionSetupCAFileDefaults(builder);
             buildConnectionSetupConnectionDefaults(builder, callbacks);
             buildConnectionSetupProxyDefaults(builder);
-            
+
             MqttClientConnection conn = builder.build();
             builder.close();
             return conn;
@@ -250,6 +250,7 @@ public MqttClientConnection buildWebsocketX509MQTTConnection(MqttClientConnectio
 
             MqttClientConnection conn = builder.build();
             builder.close();
+            provider.close();
             return conn;
 
         } catch (CrtRuntimeException ex) {

diff --git a/utils/run_sample_ci.py b/utils/run_sample_ci.py
@@ -17,6 +17,7 @@
     current_folder += "/"
 tmp_certificate_file_path = str(current_folder) + "tmp_certificate.pem"
 tmp_private_key_path = str(current_folder) + "tmp_privatekey.pem.key"
+tmp_ca_file_path = str(current_folder) + "tmp_ca.pem"
 tmp_pfx_file_path = str(current_folder) + "tmp_pfx_certificate.pfx"
 tmp_pfx_certificate_path = ""
 tmp_pfx_certificate_store_location = "CurrentUser\\My"
@@ -26,6 +27,7 @@
 def get_secrets_and_launch(parsed_commands):
     global tmp_certificate_file_path
     global tmp_private_key_path
+    global tmp_ca_file_path
     global tmp_pfx_file_path
     global tmp_pfx_certificate_path
     exit_code = 0
@@ -34,6 +36,11 @@ def get_secrets_and_launch(parsed_commands):
     sample_private_key = ""
     sample_custom_authorizer_name = ""
     sample_custom_authorizer_password = ""
+    sample_certificate_x509 = ""
+    sample_private_key_x509 = ""
+    sample_ca_x509 = ""
+    sample_endpoint_x509 = ""
+    sample_role_alias_x509 = ""
 
     print("Attempting to get credentials from secrets using Boto3...")
     secrets_client = boto3.client(
@@ -56,13 +63,42 @@ def get_secrets_and_launch(parsed_commands):
                 # lgtm [py/clear-text-storage-sensitive-data]
                 file.write(secret_data["SecretString"])
             sample_private_key = tmp_private_key_path
+
         if (parsed_commands.sample_secret_custom_authorizer_name != ""):
             sample_custom_authorizer_name = secrets_client.get_secret_value(
                 SecretId=parsed_commands.sample_secret_custom_authorizer_name)["SecretString"]
         if (parsed_commands.sample_secret_custom_authorizer_password != ""):
             sample_custom_authorizer_password = secrets_client.get_secret_value(
                 SecretId=parsed_commands.sample_secret_custom_authorizer_password)["SecretString"]
 
+        if (parsed_commands.sample_secret_certificate_x509 != ""):
+            secret_data = secrets_client.get_secret_value(
+                SecretId=parsed_commands.sample_secret_certificate_x509)
+            with open(tmp_certificate_file_path, "w") as file:
+                # lgtm [py/clear-text-storage-sensitive-data]
+                file.write(secret_data["SecretString"])
+            sample_certificate_x509 = tmp_certificate_file_path
+        if (parsed_commands.sample_secret_private_key_x509 != ""):
+            secret_data = secrets_client.get_secret_value(
+                SecretId=parsed_commands.sample_secret_private_key_x509)
+            with open(tmp_private_key_path, "w") as file:
+                # lgtm [py/clear-text-storage-sensitive-data]
+                file.write(secret_data["SecretString"])
+            sample_private_key_x509 = tmp_private_key_path
+        if (parsed_commands.sample_secret_ca_x509 != ""):
+            secret_data = secrets_client.get_secret_value(
+                SecretId=parsed_commands.sample_secret_ca_x509)
+            with open(tmp_ca_file_path, "w") as file:
+                # lgtm [py/clear-text-storage-sensitive-data]
+                file.write(secret_data["SecretString"])
+            sample_ca_x509 = tmp_ca_file_path
+        if (parsed_commands.sample_secret_endpoint_x509 != ""):
+            sample_endpoint_x509 = secrets_client.get_secret_value(
+                SecretId=parsed_commands.sample_secret_endpoint_x509)["SecretString"]
+        if (parsed_commands.sample_secret_alias_x509 != ""):
+            sample_role_alias_x509 = secrets_client.get_secret_value(
+                SecretId=parsed_commands.sample_secret_alias_x509)["SecretString"]
+
     except Exception:
         sys.exit("ERROR: Could not get secrets to launch sample!")
 
@@ -78,8 +114,17 @@ def get_secrets_and_launch(parsed_commands):
     exit_code = extra_step_return
     if (extra_step_return == 0):
         print("Launching sample...")
-        exit_code = launch_sample(parsed_commands, sample_endpoint, sample_certificate,
-                                sample_private_key, sample_custom_authorizer_name, sample_custom_authorizer_password)
+        exit_code = launch_sample(parsed_commands=parsed_commands,
+                                sample_endpoint=sample_endpoint,
+                                sample_certificate=sample_certificate,
+                                sample_private_key=sample_private_key,
+                                sample_custom_authorizer_name=sample_custom_authorizer_name,
+                                sample_custom_authorizer_password=sample_custom_authorizer_password,
+                                sample_certificate_x509=sample_certificate_x509,
+                                sample_private_key_x509=sample_private_key_x509,
+                                sample_ca_x509=sample_ca_x509,
+                                sample_endpoint_x509=sample_endpoint_x509,
+                                sample_role_alias_x509=sample_role_alias_x509)
 
         if (exit_code == 0):
             print("SUCCESS: Finished running sample! Exiting with success")
@@ -95,6 +140,8 @@ def get_secrets_and_launch(parsed_commands):
         os.remove(tmp_private_key_path)
     if (os.path.isfile(tmp_pfx_file_path)):
         os.remove(tmp_pfx_file_path)
+    if (os.path.isfile(tmp_ca_file_path)):
+        os.remove(tmp_ca_file_path)
 
     return exit_code
 
@@ -200,7 +247,10 @@ def make_windows_pfx_file():
         return 1
 
 
-def launch_sample(parsed_commands, sample_endpoint, sample_certificate, sample_private_key, sample_custom_authorizer_name, sample_custom_authorizer_password):
+def launch_sample(parsed_commands, sample_endpoint, sample_certificate, sample_private_key,
+                sample_custom_authorizer_name, sample_custom_authorizer_password,
+                sample_certificate_x509, sample_private_key_x509, sample_ca_x509,
+                sample_endpoint_x509, sample_role_alias_x509):
     global tmp_certificate_file_path
     global tmp_private_key_path
     global tmp_pfx_file_path
@@ -223,6 +273,21 @@ def launch_sample(parsed_commands, sample_endpoint, sample_certificate, sample_p
     if (sample_custom_authorizer_password != ""):
         launch_arguments.append("--custom_auth_password")
         launch_arguments.append(sample_custom_authorizer_password)
+    if (sample_certificate_x509 != ""):
+        launch_arguments.append("--x509_cert")
+        launch_arguments.append(sample_certificate_x509)
+    if (sample_private_key_x509 != ""):
+        launch_arguments.append("--x509_key")
+        launch_arguments.append(sample_private_key_x509)
+    if (sample_ca_x509 != ""):
+        launch_arguments.append("--x509_ca_file")
+        launch_arguments.append(sample_ca_x509)
+    if (sample_endpoint_x509 != ""):
+        launch_arguments.append("--x509_endpoint")
+        launch_arguments.append(sample_endpoint_x509)
+    if (sample_role_alias_x509 != ""):
+        launch_arguments.append("--x509_role_alias")
+        launch_arguments.append(sample_role_alias_x509)
     if (parsed_commands.sample_arguments != ""):
         sample_arguments_split = parsed_commands.sample_arguments.split(" ")
         for arg in sample_arguments_split:
@@ -329,6 +394,16 @@ def main():
     argument_parser.add_argument("--sample_run_certutil", metavar="<Set to 'True' to run Certutil (Windows ONLY)>", required=False,
                                  default="", help="Runs CertUtil on the private key and certificate passed and makes a certificate.pfx file, "
                                  "which is used automatically in the --cert argument. Used for Windows Certificate Connect sample")
+    argument_parser.add_argument("--sample_secret_certificate_x509", metavar="<Name of certificate secret to use in X509>", required=False,
+                                 default="", help="The name of the secret containing the certificate PEM file to use in X509")
+    argument_parser.add_argument("--sample_secret_private_key_x509", metavar="<Name of private key secret to use in X509>", required=False,
+                                 default="", help="The name of the secret containing the private key PEM file to use in X509")
+    argument_parser.add_argument("--sample_secret_ca_x509", metavar="<Name of CA key secret to use in X509>", required=False,
+                                 default="", help="The name of the secret containing the CA PEM file to use in X509")
+    argument_parser.add_argument("--sample_secret_endpoint_x509", metavar="<Name of credentials provider endpoint secret>",
+                                 required=False, default="", help="The name of the secret containing the credentials provider endpoint (X509)")
+    argument_parser.add_argument("--sample_secret_alias_x509", metavar="<Name of the IoT role alias secret>",
+                                 required=False, default="", help="The name of the secret containing the IoT Core role alias (X509)")
     argument_parser.add_argument("--sample_arguments", metavar="<Arguments here in single string!>",
                                  required=False, default="",
                                  help="Arguments to pass to sample. In Java, these arguments will be in a double quote (\") string")