aws: add IoT provider support and related credentials definitions

This update introduces the IoT provider creation function and adds necessary environment variable definitions for IoT credentials in the AWS module. Additionally, the CMake configuration is updated to include the new IoT credentials source file.

Signed-off-by: SagiROosto <sagi.rosenthal@oosto.com>

Author: SagiROosto

include/fluent-bit/flb_aws_credentials.h

@@ -34,6 +34,20 @@
 /* 5 second timeout for credential related http requests */
 #define FLB_AWS_CREDENTIAL_NET_TIMEOUT 5
 
+/* IoT Credentials Environment Variables */
+#define AWS_IOT_KEY_FILE               "AWS_IOT_KEY_FILE"
+#define AWS_IOT_CERT_FILE              "AWS_IOT_CERT_FILE"
+#define AWS_IOT_CA_CERT_FILE           "AWS_IOT_CA_CERT_FILE"
+#define AWS_IOT_CREDENTIALS_ENDPOINT   "AWS_IOT_CREDENTIALS_ENDPOINT"
+#define AWS_IOT_THING_NAME             "AWS_IOT_THING_NAME"
+#define AWS_IOT_ROLE_ALIAS             "AWS_IOT_ROLE_ALIAS"
+
+/* Greengrass V2 Config File - fallback source for IoT configuration */
+#define AWS_IOT_GREENGRASS_V2_CONFIG   "AWS_IOT_GREENGRASS_V2_CONFIG_PATH"
+
+/* Greengrass V2 Component Environment Variable - fallback for CA cert */
+#define AWS_GG_ROOT_CA_PATH            "AWS_GG_ROOT_CA_PATH"
+
 /*
  * A structure that wraps the sensitive data needed to sign an AWS request
  */
@@ -225,6 +239,11 @@ struct flb_aws_provider *flb_eks_provider_create(struct flb_config *config,
                                                  flb_aws_client_generator
                                                  *generator);
 
+/*
+ * IoT Provider
+ */
+struct flb_aws_provider *flb_iot_provider_create(struct flb_config *config,
+                                                 struct flb_aws_client_generator *generator);
 
 /*
  * STS Assume Role Provider.

src/aws/CMakeLists.txt

@@ -16,6 +16,7 @@ set(src
   "flb_aws_credentials_http.c"
   "flb_aws_credentials_profile.c"
   "flb_aws_aggregation.c"
+  "flb_aws_credentials_iot.c"
   )
 
 message(STATUS "=== AWS Credentials ===")

src/aws/flb_aws_credentials.c

@@ -51,14 +51,14 @@ static struct flb_aws_provider *standard_chain_create(struct flb_config
                                                       int eks_irsa,
                                                       char *profile);
 
-
 /*
  * The standard credential provider chain:
  * 1. Environment variables
- * 2. Shared credentials file (AWS Profile)
- * 3. EKS OIDC
- * 4. EC2 IMDS
+ * 2. IoT credentials endpoint (AWS_IOT_* env vars / Greengrass V2 config)
+ * 3. Shared credentials file (AWS Profile)
+ * 4. EKS OIDC
  * 5. ECS HTTP credentials endpoint
+ * 6. EC2 IMDS
  *
  * This provider will evaluate each provider in order, returning the result
  * from the first provider that returns valid credentials.
@@ -566,6 +566,28 @@ static struct flb_aws_provider *standard_chain_create(struct flb_config
 
     mk_list_add(&sub_provider->_head, &implementation->sub_providers);
 
+    /*
+     * IoT Provider - placed after environment provider but before profile provider.
+     *
+     * Rationale for this position in the credential chain:
+     * 1. Standard AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY env vars take precedence
+     *    (handled by env provider above) - explicit credentials always win.
+     * 2. IoT-specific env vars (AWS_IOT_*) or Greengrass V2 config indicate the user
+     *    explicitly wants IoT credentials on devices like AWS Greengrass.
+     * 3. IoT provider comes before profile/EKS/ECS/EC2 because when IoT config
+     *    is present, the device is specifically configured for IoT credentials.
+     *
+     * Configuration sources (in priority order):
+     * - AWS_IOT_* environment variables (explicit)
+     * - AWS_IOT_GREENGRASS_V2_CONFIG_PATH -> config.yaml (Greengrass V2)
+     * - GG_ROOT_CA_PATH fallback for CA certificate
+     */
+    sub_provider = flb_iot_provider_create(config, generator);
+    if (sub_provider) {
+        mk_list_add(&sub_provider->_head, &implementation->sub_providers);
+        flb_debug("[aws_credentials] Initialized IoT Provider in standard chain");
+    }
+
     flb_debug("[aws_credentials] creating profile %s provider", profile);
     sub_provider = flb_profile_provider_create(profile);
     if (sub_provider) {