From bd183f3de299f24bb2f30973e1d6d55c99f14b5e Mon Sep 17 00:00:00 2001
From: Shelby Hagman <shelbyzh@amazon.com>
Date: Wed, 14 Jan 2026 22:06:54 +0000
Subject: [PATCH 1/2] aws: Add AWS Greengrass schema to approved credential
 URIs

Signed-off-by: Shelby Hagman <shelbyzh@amazon.com>
---
 src/aws/flb_aws_credentials_http.c | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/src/aws/flb_aws_credentials_http.c b/src/aws/flb_aws_credentials_http.c
index a405920478b..90e764e6d9d 100644
--- a/src/aws/flb_aws_credentials_http.c
+++ b/src/aws/flb_aws_credentials_http.c
@@ -40,6 +40,8 @@
 #define ECS_CREDENTIALS_HOST_LEN       13
 #define EKS_CREDENTIALS_HOST           "169.254.170.23"
 #define EKS_CREDENTIALS_HOST_LEN       14
+#define GREENGRASS_CREDENTIALS_HOST    "localhost"
+#define GREENGRASS_CREDENTIALS_PATH    "/2016-11-01/credentialprovider/"
 #define AWS_CREDENTIALS_RELATIVE_URI   "AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"
 #define AWS_CREDENTIALS_FULL_URI       "AWS_CONTAINER_CREDENTIALS_FULL_URI"
 
@@ -60,8 +62,9 @@ does not satisfy any of the following conditions:
 
 is within the loopback CIDR (IPv4 127.0.0.0/8, IPv6 ::1/128)
 is the ECS container host 169.254.170.2
-is the EKS container host (IPv4 169.254.170.23, IPv6 fd00:ec2::23)*/
-static int validate_http_credential_uri(flb_sds_t protocol, flb_sds_t host)
+is the EKS container host (IPv4 169.254.170.23, IPv6 fd00:ec2::23)
+is localhost with Greengrass credential provider path (/2016-11-01/credentialprovider/)*/
+static int validate_http_credential_uri(flb_sds_t protocol, flb_sds_t host, flb_sds_t path)
 {
     if (strncmp(protocol, "https", 5) == 0) {
         return 0;
@@ -70,7 +73,9 @@ static int validate_http_credential_uri(flb_sds_t protocol, flb_sds_t host)
                strncmp(host, EKS_CREDENTIALS_HOST, EKS_CREDENTIALS_HOST_LEN) == 0 ||
                strstr(host, "::1") != NULL ||
                strstr(host, "fd00:ec2::23") != NULL ||
-               strstr(host, "fe80:") != NULL) {
+               strstr(host, "fe80:") != NULL ||
+               (strcmp(host, GREENGRASS_CREDENTIALS_HOST) == 0 && path != NULL &&
+                strcmp(path, GREENGRASS_CREDENTIALS_PATH) == 0)) {
         return 0;
     }
 
@@ -356,10 +361,11 @@ struct flb_aws_provider *flb_http_provider_create(struct flb_config *config,
         }
 
         insecure = strncmp(protocol, "http", 4) == 0 ? FLB_TRUE : FLB_FALSE;
-        ret = validate_http_credential_uri(protocol, host);
+        ret = validate_http_credential_uri(protocol, host, path);
         if (ret < 0) {
-            flb_error("[aws credentials] %s must be set to an https:// address or a link local IP address."
-                      " Found protocol=%s, host=%s, port=%s, path=%s",
+            flb_error("[aws credentials] %s must be set to an https:// address, a link local IP address, "
+                      "or localhost with Greengrass credential provider path. "
+                      "Found protocol=%s, host=%s, port=%s, path=%s",
                       AWS_CREDENTIALS_FULL_URI, protocol, host, port_sds, path);
             flb_sds_destroy(protocol);
             flb_sds_destroy(host);

From adc6f65ebb02c297cd01dd7f85a7a96c8a50bca8 Mon Sep 17 00:00:00 2001
From: Shelby Hagman <shelbyzh@amazon.com>
Date: Wed, 14 Jan 2026 22:07:07 +0000
Subject: [PATCH 2/2] tests: Add validator tests for AWS Greengrass URIs

Signed-off-by: Shelby Hagman <shelbyzh@amazon.com>
---
 tests/internal/aws_credentials_http.c | 114 ++++++++++++++++++++++++++
 1 file changed, 114 insertions(+)

diff --git a/tests/internal/aws_credentials_http.c b/tests/internal/aws_credentials_http.c
index f915f6acc17..cdcb13e939c 100644
--- a/tests/internal/aws_credentials_http.c
+++ b/tests/internal/aws_credentials_http.c
@@ -755,6 +755,116 @@ static void test_http_validator_invalid_port()
     flb_free(config);
 }
 
+static void test_http_validator_greengrass_valid()
+{
+    struct flb_aws_provider *provider;
+    struct flb_aws_credentials *creds;
+    struct flb_config *config;
+
+    /* Test valid Greengrass URL with localhost and correct path */
+    setenv("AWS_CONTAINER_CREDENTIALS_FULL_URI", "http://localhost:8080/2016-11-01/credentialprovider/", 1);
+    setenv("AWS_CONTAINER_AUTHORIZATION_TOKEN", "greengrass-token", 1);
+
+    setup_test(FLB_AWS_CLIENT_MOCK(
+        response(
+            expect(URI, "/2016-11-01/credentialprovider/"),
+            expect(METHOD, FLB_HTTP_GET),
+            expect(HEADER, "Authorization", "greengrass-token"),
+            set(STATUS, 200),
+            set(PAYLOAD, "{\n  \"Code\" : \"Success\",\n  \"LastUpdated\" : \"2021-09-16T18:29:09Z\",\n"
+                "  \"Type\" : \"AWS-HMAC\",\n  \"AccessKeyId\" : \"GREENGRASSACCESSKEY\",\n  \"SecretAccessKey\""
+                " : \"GREENGRASSSECRETKEY\",\n  \"Token\" : \"GREENGRASSTOKEN\",\n"
+                "  \"Expiration\" : \"3021-09-17T00:41:00Z\"\n}"),
+            set(PAYLOAD_SIZE, 257)
+        )
+    ), &provider, &config);
+
+    flb_time_msleep(1000);
+
+    /* Should successfully get credentials */
+    creds = provider->provider_vtable->get_credentials(provider);
+    TEST_ASSERT(creds != NULL);
+    TEST_CHECK(strcmp("GREENGRASSACCESSKEY", creds->access_key_id) == 0);
+    TEST_CHECK(strcmp("GREENGRASSSECRETKEY", creds->secret_access_key) == 0);
+    TEST_CHECK(strcmp("GREENGRASSTOKEN", creds->session_token) == 0);
+
+    flb_aws_credentials_destroy(creds);
+
+    /* Check we have exhausted our response list */
+    TEST_CHECK(flb_aws_client_mock_generator_count_unused_requests() == 0);
+
+    cleanup_test(provider, config);
+}
+
+static void test_http_validator_greengrass_invalid_host()
+{
+    struct flb_aws_provider *provider;
+    struct flb_config *config;
+
+    /* Test invalid Greengrass URL - correct path but wrong host */
+    setenv("AWS_CONTAINER_CREDENTIALS_FULL_URI", "http://example.com:8080/2016-11-01/credentialprovider/", 1);
+    setenv("AWS_CONTAINER_AUTHORIZATION_TOKEN", "greengrass-token", 1);
+
+    flb_aws_client_mock_configure_generator(NULL);
+
+    config = flb_calloc(1, sizeof(struct flb_config));
+    TEST_ASSERT(config != NULL);
+    mk_list_init(&config->upstreams);
+
+    /* provider creation will fail because host is not localhost */
+    provider = flb_http_provider_create(config, flb_aws_client_get_mock_generator());
+    TEST_ASSERT(provider == NULL);
+
+    flb_aws_client_mock_destroy_generator();
+    flb_free(config);
+}
+
+static void test_http_validator_greengrass_invalid_path()
+{
+    struct flb_aws_provider *provider;
+    struct flb_config *config;
+
+    /* Test invalid Greengrass URL - localhost but wrong path */
+    setenv("AWS_CONTAINER_CREDENTIALS_FULL_URI", "http://localhost:8080/invalid/path", 1);
+    setenv("AWS_CONTAINER_AUTHORIZATION_TOKEN", "greengrass-token", 1);
+
+    flb_aws_client_mock_configure_generator(NULL);
+
+    config = flb_calloc(1, sizeof(struct flb_config));
+    TEST_ASSERT(config != NULL);
+    mk_list_init(&config->upstreams);
+
+    /* provider creation will fail because path doesn't match Greengrass pattern */
+    provider = flb_http_provider_create(config, flb_aws_client_get_mock_generator());
+    TEST_ASSERT(provider == NULL);
+
+    flb_aws_client_mock_destroy_generator();
+    flb_free(config);
+}
+
+static void test_http_validator_greengrass_invalid_path_prefix()
+{
+    struct flb_aws_provider *provider;
+    struct flb_config *config;
+
+    /* Test invalid Greengrass URL - localhost but path has Greengrass pattern in middle, not at start */
+    setenv("AWS_CONTAINER_CREDENTIALS_FULL_URI", "http://localhost:8080/prefix/2016-11-01/credentialprovider/", 1);
+    setenv("AWS_CONTAINER_AUTHORIZATION_TOKEN", "greengrass-token", 1);
+
+    flb_aws_client_mock_configure_generator(NULL);
+
+    config = flb_calloc(1, sizeof(struct flb_config));
+    TEST_ASSERT(config != NULL);
+    mk_list_init(&config->upstreams);
+
+    /* provider creation will fail because path doesn't start with Greengrass pattern */
+    provider = flb_http_provider_create(config, flb_aws_client_get_mock_generator());
+    TEST_ASSERT(provider == NULL);
+
+    flb_aws_client_mock_destroy_generator();
+    flb_free(config);
+}
+
 TEST_LIST = {
     { "test_http_provider", test_http_provider},
     { "test_http_provider_error_case", test_http_provider_error_case},
@@ -766,5 +876,9 @@ TEST_LIST = {
     { "test_http_provider_server_failure", test_http_provider_server_failure},
     { "test_http_validator_invalid_host", test_http_validator_invalid_host},
     { "test_http_validator_invalid_port", test_http_validator_invalid_port},
+    { "test_http_validator_greengrass_valid", test_http_validator_greengrass_valid},
+    { "test_http_validator_greengrass_invalid_host", test_http_validator_greengrass_invalid_host},
+    { "test_http_validator_greengrass_invalid_path", test_http_validator_greengrass_invalid_path},
+    { "test_http_validator_greengrass_invalid_path_prefix", test_http_validator_greengrass_invalid_path_prefix},
     { 0 }
 };