Pass AWS credentials via structure pointer

 - Setting env variable is not an elegant solution to pass credentials
 - Pass these in config structure instead

Author: vikramdattu

esp_port/examples/app_common/include/sample_config.h

@@ -69,6 +69,29 @@ extern "C" {
 #define MASTER_DATA_CHANNEL_MESSAGE "This message is from the KVS Master"
 #define VIEWER_DATA_CHANNEL_MESSAGE "This message is from the KVS Viewer"
 
+/**
+ * @brief Structure to hold AWS credentials and related options
+ */
+typedef struct {
+    // IoT Core credentials
+    BOOL enableIotCredentials;
+    PCHAR iotCoreCredentialEndpoint;
+    PCHAR iotCoreCert;
+    PCHAR iotCorePrivateKey;
+    PCHAR iotCoreRoleAlias;
+    PCHAR iotCoreThingName;
+
+    // Direct AWS credentials
+    PCHAR accessKey;
+    PCHAR secretKey;
+    PCHAR sessionToken;
+
+    // Common AWS options
+    PCHAR region;
+    PCHAR caCertPath;
+    UINT32 logLevel;
+} AwsCredentialOptions, *PAwsCredentialOptions;
+
 #define DATA_CHANNEL_MESSAGE_TEMPLATE                                                                                                                \
     "{\"content\":\"%s\",\"firstMessageFromViewerTs\":\"%s\",\"firstMessageFromMasterTs\":\"%s\",\"secondMessageFromViewerTs\":\"%s\","              \
     "\"secondMessageFromMasterTs\":\"%s\",\"lastMessageFromViewerTs\":\"%s\" }"
@@ -171,6 +194,9 @@ typedef struct {
     PCHAR rtspUri;
     UINT32 logLevel;
     BOOL enableTwcc;
+
+    // AWS credential options
+    PAwsCredentialOptions pAwsCredentialOptions;
 } SampleConfiguration, *PSampleConfiguration;
 
 typedef struct {
@@ -242,7 +268,7 @@ PVOID sampleReceiveAudioVideoFrame(PVOID);
 PVOID getPeriodicIceCandidatePairStats(PVOID);
 STATUS getIceCandidatePairStatsCallback(UINT32, UINT64, UINT64);
 STATUS pregenerateCertTimerCallback(UINT32, UINT64, UINT64);
-STATUS createSampleConfiguration(PCHAR, SIGNALING_CHANNEL_ROLE_TYPE, BOOL, BOOL, UINT32, PSampleConfiguration*);
+STATUS createSampleConfiguration(PCHAR, SIGNALING_CHANNEL_ROLE_TYPE, BOOL, BOOL, UINT32, PAwsCredentialOptions, PSampleConfiguration*);
 STATUS freeSampleConfiguration(PSampleConfiguration*);
 STATUS signalingClientStateChanged(UINT64, SIGNALING_CLIENT_STATE);
 STATUS signalingMessageReceived(UINT64, PReceivedSignalingMessage);

esp_port/examples/app_common/src/sample_config.c

@@ -910,34 +910,54 @@ STATUS lookForSslCert(PSampleConfiguration* ppSampleConfiguration)
 }
 
 STATUS createSampleConfiguration(PCHAR channelName, SIGNALING_CHANNEL_ROLE_TYPE roleType, BOOL trickleIce, BOOL useTurn, UINT32 logLevel,
-                                 PSampleConfiguration* ppSampleConfiguration)
+                                PAwsCredentialOptions pAwsCredentialOptions, PSampleConfiguration* ppSampleConfiguration)
 {
     STATUS retStatus = STATUS_SUCCESS;
     PSampleConfiguration pSampleConfiguration = NULL;
+    PCHAR pAccessKey = NULL, pSecretKey = NULL, pSessionToken = NULL;
+    PCHAR pIotCoreCredentialEndPoint = NULL, pIotCoreCert = NULL, pIotCorePrivateKey = NULL;
+    PCHAR pIotCoreRoleAlias = NULL, pIotCoreCertificateId = NULL, pIotCoreThingName = NULL;
 
     CHK(ppSampleConfiguration != NULL, STATUS_NULL_ARG);
 
     CHK(NULL != (pSampleConfiguration = (PSampleConfiguration) MEMCALLOC(1, SIZEOF(SampleConfiguration))), STATUS_NOT_ENOUGH_MEMORY);
 
-#ifdef CONFIG_IOT_CORE_ENABLE_CREDENTIALS
-    PCHAR pIotCoreCredentialEndPoint, pIotCoreCert, pIotCorePrivateKey, pIotCoreRoleAlias, pIotCoreCertificateId, pIotCoreThingName;
-    CHK_ERR((pIotCoreCredentialEndPoint = GETENV(IOT_CORE_CREDENTIAL_ENDPOINT)) != NULL, STATUS_INVALID_OPERATION,
-            "AWS_IOT_CORE_CREDENTIAL_ENDPOINT must be set");
-    CHK_ERR((pIotCoreCert = GETENV(IOT_CORE_CERT)) != NULL, STATUS_INVALID_OPERATION, "AWS_IOT_CORE_CERT must be set");
-    CHK_ERR((pIotCorePrivateKey = GETENV(IOT_CORE_PRIVATE_KEY)) != NULL, STATUS_INVALID_OPERATION, "AWS_IOT_CORE_PRIVATE_KEY must be set");
-    CHK_ERR((pIotCoreRoleAlias = GETENV(IOT_CORE_ROLE_ALIAS)) != NULL, STATUS_INVALID_OPERATION, "AWS_IOT_CORE_ROLE_ALIAS must be set");
-    CHK_ERR((pIotCoreThingName = GETENV(IOT_CORE_THING_NAME)) != NULL, STATUS_INVALID_OPERATION, "AWS_IOT_CORE_THING_NAME must be set");
-#else
-    PCHAR pAccessKey, pSecretKey, pSessionToken;
-    CHK_ERR((pAccessKey = GETENV(ACCESS_KEY_ENV_VAR)) != NULL, STATUS_INVALID_OPERATION, "AWS_ACCESS_KEY_ID must be set");
-    CHK_ERR((pSecretKey = GETENV(SECRET_KEY_ENV_VAR)) != NULL, STATUS_INVALID_OPERATION, "AWS_SECRET_ACCESS_KEY must be set");
-
-    pSessionToken = GETENV(SESSION_TOKEN_ENV_VAR);
-    if (pSessionToken != NULL && IS_EMPTY_STRING(pSessionToken)) {
-        DLOGW("Session token is set but its value is empty. Ignoring.");
-        pSessionToken = NULL;
+    // Store the AWS credential options in the sample configuration
+    pSampleConfiguration->pAwsCredentialOptions = pAwsCredentialOptions;
+
+    if (pAwsCredentialOptions != NULL) {
+        if (pAwsCredentialOptions->enableIotCredentials) {
+            // Use IoT Core credentials from the options
+            pIotCoreCredentialEndPoint = pAwsCredentialOptions->iotCoreCredentialEndpoint;
+            pIotCoreCert = pAwsCredentialOptions->iotCoreCert;
+            pIotCorePrivateKey = pAwsCredentialOptions->iotCorePrivateKey;
+            pIotCoreRoleAlias = pAwsCredentialOptions->iotCoreRoleAlias;
+            pIotCoreThingName = pAwsCredentialOptions->iotCoreThingName;
+            // Validate required fields
+            CHK_ERR(pIotCoreCredentialEndPoint != NULL && pIotCoreCredentialEndPoint[0] != '\0', STATUS_INVALID_OPERATION,
+                    "IoT Core credential endpoint must be set");
+            CHK_ERR(pIotCoreCert != NULL && pIotCoreCert[0] != '\0', STATUS_INVALID_OPERATION,
+                    "IoT Core certificate must be set");
+            CHK_ERR(pIotCorePrivateKey != NULL && pIotCorePrivateKey[0] != '\0', STATUS_INVALID_OPERATION,
+                    "IoT Core private key must be set");
+            CHK_ERR(pIotCoreRoleAlias != NULL && pIotCoreRoleAlias[0] != '\0', STATUS_INVALID_OPERATION,
+                    "IoT Core role alias must be set");
+            CHK_ERR(pIotCoreThingName != NULL && pIotCoreThingName[0] != '\0', STATUS_INVALID_OPERATION,
+                    "IoT Core thing name must be set");
+        } else {
+            // Use direct AWS credentials from the options
+            pAccessKey = pAwsCredentialOptions->accessKey;
+            pSecretKey = pAwsCredentialOptions->secretKey;
+            pSessionToken = pAwsCredentialOptions->sessionToken;
+            // Validate required fields
+            CHK_ERR(pAccessKey != NULL && pAccessKey[0] != '\0', STATUS_INVALID_OPERATION,
+                    "AWS access key must be set");
+            CHK_ERR(pSecretKey != NULL && pSecretKey[0] != '\0', STATUS_INVALID_OPERATION,
+                    "AWS secret key must be set");
+        }
+    } else {
+        DLOGI("Streaming only mode, skipping credentials");
     }
-#endif
 
 
     // If the env is set, we generate normal log files apart from filtered profile log files
@@ -969,13 +989,14 @@ STATUS createSampleConfiguration(PCHAR channelName, SIGNALING_CHANNEL_ROLE_TYPE
     // CHK_STATUS(lookForSslCert(&pSampleConfiguration));
     pSampleConfiguration->pCaCertPath = DEFAULT_KVS_CACERT_PATH;
 
-#ifdef CONFIG_IOT_CORE_ENABLE_CREDENTIALS
-    CHK_STATUS(createIotCredentialProvider(pIotCoreCredentialEndPoint, pIotCoreCert, pIotCorePrivateKey, pSampleConfiguration->pCaCertPath,
-                                        pIotCoreRoleAlias, pIotCoreThingName, &pSampleConfiguration->pCredentialProvider));
-#else
-    CHK_STATUS(
-        createStaticCredentialProvider(pAccessKey, 0, pSecretKey, 0, pSessionToken, 0, MAX_UINT64, &pSampleConfiguration->pCredentialProvider));
-#endif
+    if (pAwsCredentialOptions != NULL &&
+            pAwsCredentialOptions->enableIotCredentials) {
+        CHK_STATUS(createIotCredentialProvider(pIotCoreCredentialEndPoint, pIotCoreCert, pIotCorePrivateKey, pSampleConfiguration->pCaCertPath,
+                                            pIotCoreRoleAlias, pIotCoreThingName, &pSampleConfiguration->pCredentialProvider));
+    } else {
+        CHK_STATUS(
+            createStaticCredentialProvider(pAccessKey, 0, pSecretKey, 0, pSessionToken, 0, MAX_UINT64, &pSampleConfiguration->pCredentialProvider));
+    }
 
     pSampleConfiguration->mediaSenderTid = INVALID_TID_VALUE;
     pSampleConfiguration->audioSenderTid = INVALID_TID_VALUE;

esp_port/examples/webrtc_classic/main/webrtc_main.c

@@ -196,33 +196,56 @@ void app_main(void)
         return;
     }
 
+    // Create AWS credential options structure
+    AwsCredentialOptions awsCredentialOptions;
+    memset(&awsCredentialOptions, 0, sizeof(AwsCredentialOptions));
+
     // Initialize KVS WebRTC
     STATUS status = STATUS_SUCCESS;
     PSampleConfiguration pSampleConfiguration = NULL;
     PCHAR pChannelName = CONFIG_AWS_KVS_CHANNEL_NAME;
 
     // Set AWS credentials
 #ifdef CONFIG_IOT_CORE_ENABLE_CREDENTIALS
-    setenv("AWS_IOT_CORE_CREDENTIAL_ENDPOINT", CONFIG_AWS_IOT_CORE_CREDENTIAL_ENDPOINT, 1);
-    setenv("AWS_IOT_CORE_CERT", CONFIG_AWS_IOT_CORE_CERT, 1);
-    setenv("AWS_IOT_CORE_PRIVATE_KEY", CONFIG_AWS_IOT_CORE_PRIVATE_KEY, 1);
-    setenv("AWS_IOT_CORE_ROLE_ALIAS", CONFIG_AWS_IOT_CORE_ROLE_ALIAS, 1);
-    setenv("AWS_IOT_CORE_THING_NAME", CONFIG_AWS_IOT_CORE_THING_NAME, 1);
+    // Configure IoT Core credentials
+    awsCredentialOptions.enableIotCredentials = TRUE;
+    awsCredentialOptions.iotCoreCredentialEndpoint = CONFIG_AWS_IOT_CORE_CREDENTIAL_ENDPOINT;
+    awsCredentialOptions.iotCoreCert = CONFIG_AWS_IOT_CORE_CERT;
+    awsCredentialOptions.iotCorePrivateKey = CONFIG_AWS_IOT_CORE_PRIVATE_KEY;
+    awsCredentialOptions.iotCoreRoleAlias = CONFIG_AWS_IOT_CORE_ROLE_ALIAS;
+    awsCredentialOptions.iotCoreThingName = CONFIG_AWS_IOT_CORE_THING_NAME;
+
+    setenv("AWS_IOT_CORE_CREDENTIAL_ENDPOINT", "c3mh3f5xs9l81c.credentials.iot.us-east-1.amazonaws.com", 1);
+    setenv("AWS_IOT_CORE_CERT", "/spiffs/certs/certificate.pem", 1);
+    setenv("AWS_IOT_CORE_PRIVATE_KEY", "/spiffs/certs/private.key", 1);
+    setenv("AWS_KVS_CACERT_PATH", "/spiffs/certs/", 1);
+    setenv("AWS_IOT_CORE_ROLE_ALIAS", "webrtc_iot_role_alias", 1);
+    setenv("AWS_IOT_CORE_THING_NAME", "webrtc_iot_thing", 1);
 #else
-    setenv("AWS_ACCESS_KEY_ID", CONFIG_AWS_ACCESS_KEY_ID, 1);
-    setenv("AWS_SECRET_ACCESS_KEY", CONFIG_AWS_SECRET_ACCESS_KEY, 1);
-    setenv("AWS_DEFAULT_REGION", CONFIG_AWS_DEFAULT_REGION, 1);
+    // Configure direct AWS credentials
+    awsCredentialOptions.enableIotCredentials = FALSE;
+    awsCredentialOptions.accessKey = CONFIG_AWS_ACCESS_KEY_ID;
+    awsCredentialOptions.secretKey = CONFIG_AWS_SECRET_ACCESS_KEY;
+    awsCredentialOptions.sessionToken = CONFIG_AWS_SESSION_TOKEN;
 #endif
+    // Set common AWS options
+    awsCredentialOptions.region = CONFIG_AWS_DEFAULT_REGION;
+    awsCredentialOptions.caCertPath =  "/spiffs/certs/";
+    awsCredentialOptions.logLevel = 1;
+
+    setenv("AWS_KVS_LOG_LEVEL", "1", 1);
+    setenv("AWS_DEFAULT_REGION", "us-east-1", 1);
 
     // Custom allocator for libwebsockets
     lws_set_allocator(realloc_wrapper);
 
     UINT32 logLevel = setLogLevel();
 
     ESP_LOGI(TAG, "creating sample configuration");
-    // Initialize KVS WebRTC
+
+    // Initialize KVS WebRTC with credential options
     status = createSampleConfiguration(pChannelName, SIGNALING_CHANNEL_ROLE_TYPE_MASTER,
-                                    TRUE, TRUE, logLevel, &pSampleConfiguration);
+                                    TRUE, TRUE, logLevel, &awsCredentialOptions, &pSampleConfiguration);
     if (status != STATUS_SUCCESS) {
         ESP_LOGE(TAG, "createSampleConfiguration failed with 0x%08" PRIx32, status);
         goto CleanUp;