Reference

awsiot_credentialhelper

Session object classes and methods.

Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License-Identifier: Apache-2.0

class awsiot_credentialhelper.boto3_session.Boto3SessionProvider(endpoint: str, role_alias: str, thing_name: str, certificate: str | bytes, private_key: str | bytes | None = None, pkcs11: Pkcs11Config | None = None, ca: bytes | None = None, awscrt_log_level: LogLevel | None = None, verify_peer: bool = True)

Session object using the AWS IoT Core Credential Provider.

Creates an object from credentials used to authenticated against the AWS IoT Core Credential Provider. After creation, a call to get_session() will return a Boto3 session object. That session object will then request credentials as needed when Boto3 client calls are issued. The Boto3 session object will automatically refresh credentials as they expire.

Parameters:

  • endpoint – Fully-qualified domain name of the AWS IoT Credential Provider endpoint.

  • role_alias – IoT Role Alias to use for obtaining the attached IAM Role.

  • thing_name – IoT Thing Name attached to the IoT Policy which grants access to IoT Role Alias.

  • certificate – X.509 certificate registered with AWS IoT Core in PKCS#7 armored format (e.g., PEM). It can be either a path to the certificate on the file system (str) or the certificate in byte format (bytes).

  • private_key – Private key associated with the X.509 certificate. It can either be a path to the private key on the file system (str) or the private key is byte format (bytes).

  • pkcs11 – Configuration to use a local PKCS#11 interface for private key operations.

  • ca – The certificate authority used to validate the AWS IoT Core credential provider endpoint. It can either be a path to the certificate authority on the file system (str) or the certificate authority in byte format (bytes). Defaults to None which uses the operating systems default trust store.

  • awscrt_log_level – Log level for awscrt operations.

  • verify_peer – When set to True, will verify the server certificate against the endpoint. Only set to False for testing purposes. Defaults to True.

Raises:

ValueError – Only if private_key or pkcs11 argument are not provided.

get_session(**kwargs) Session

Create a Boto3 session object with credential refresh using AWS IoT Credential Provider.

The **kwargs are passed to the Boto3 session object. The most common use is to set the AWS region for the returned sessions object. Any set of Boto3 session arguments can be passed.

Example

>>> from awsiot_credentialhelper.boto3_session import Boto3SessionProvider
>>> boto3_session = Boto3SessionProvider(
...     endpoint="your_endpoint.credentials.iot.us-west-2.amazonaws.com",
...     role_alias="your_aws_iot_role_alias_name",
...     certificate="iot_thing.pem",
...     private_key="iot_thing.pem.key",
...     thing_name="iot_thing",
... ).get_session(region="eu-central-1")
Parameters:

**kwargs – Any set of arguments can be passed.

Returns:

Boto3 session object tied to IoT Credential Provider for obtaining credentials.

Return type:

Session

class awsiot_credentialhelper.boto3_session.Pkcs11Config

PKCS11 Configuration for Credential Provider.

These are needed parameters for the PKCS#11 provider.

pkcs11_lib

Path to PKCS#11 library on disk.

Type:

str

user_pin

User pin for PKCS#11 library.

Type:

NotRequired[str]

slot_id

Slot ID for PKCS#11 library. If not provided, the token_label will be used instead.

Type:

NotRequired[int]

token_label

Token label for PKCS#11 library. If not provided, the slot_id will be used instead.

Type:

NotRequired[str]

private_key_label

Label for private key to use.

Type:

NotRequired[str]