feat: add IoT provider support and related credentials definitions

include/fluent-bit/flb_aws_credentials.h

@@ -34,6 +34,20 @@
 /* 5 second timeout for credential related http requests */
 #define FLB_AWS_CREDENTIAL_NET_TIMEOUT 5
 
+/* IoT Credentials Environment Variables */
+#define AWS_IOT_KEY_FILE               "AWS_IOT_KEY_FILE"
+#define AWS_IOT_CERT_FILE              "AWS_IOT_CERT_FILE"
+#define AWS_IOT_CA_CERT_FILE           "AWS_IOT_CA_CERT_FILE"
+#define AWS_IOT_CREDENTIALS_ENDPOINT   "AWS_IOT_CREDENTIALS_ENDPOINT"
+#define AWS_IOT_THING_NAME             "AWS_IOT_THING_NAME"
+#define AWS_IOT_ROLE_ALIAS             "AWS_IOT_ROLE_ALIAS"
+
+/* Greengrass V2 Config File - fallback source for IoT configuration */
+#define AWS_IOT_GREENGRASS_V2_CONFIG   "AWS_IOT_GREENGRASS_V2_CONFIG_PATH"
+
+/* Greengrass V2 Component Environment Variable - fallback for CA cert */
+#define AWS_GG_ROOT_CA_PATH            "GG_ROOT_CA_PATH"
+
 /*
  * A structure that wraps the sensitive data needed to sign an AWS request
  */
@@ -225,6 +239,11 @@ struct flb_aws_provider *flb_eks_provider_create(struct flb_config *config,
                                                  flb_aws_client_generator
                                                  *generator);
 
+/*
+ * IoT Provider
+ */
+struct flb_aws_provider *flb_iot_provider_create(struct flb_config *config,
+                                                 struct flb_aws_client_generator *generator);
 
 /*
  * STS Assume Role Provider.

src/aws/CMakeLists.txt

@@ -16,6 +16,7 @@ set(src
   "flb_aws_credentials_http.c"
   "flb_aws_credentials_profile.c"
   "flb_aws_aggregation.c"
+  "flb_aws_credentials_iot.c"
   )
 
 message(STATUS "=== AWS Credentials ===")

src/aws/flb_aws_credentials.c

@@ -51,14 +51,14 @@ static struct flb_aws_provider *standard_chain_create(struct flb_config
                                                       int eks_irsa,
                                                       char *profile);
 
-
 /*
  * The standard credential provider chain:
  * 1. Environment variables
- * 2. Shared credentials file (AWS Profile)
- * 3. EKS OIDC
- * 4. EC2 IMDS
+ * 2. IoT credentials endpoint (AWS_IOT_* env vars / Greengrass V2 config)
+ * 3. Shared credentials file (AWS Profile)
+ * 4. EKS OIDC
  * 5. ECS HTTP credentials endpoint
+ * 6. EC2 IMDS
  *
  * This provider will evaluate each provider in order, returning the result
  * from the first provider that returns valid credentials.
@@ -566,6 +566,28 @@ static struct flb_aws_provider *standard_chain_create(struct flb_config
 
     mk_list_add(&sub_provider->_head, &implementation->sub_providers);
 
+    /*
+     * IoT Provider - placed after environment provider but before profile provider.
+     *
+     * Rationale for this position in the credential chain:
+     * 1. Standard AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY env vars take precedence
+     *    (handled by env provider above) - explicit credentials always win.
+     * 2. IoT-specific env vars (AWS_IOT_*) or Greengrass V2 config indicate the user
+     *    explicitly wants IoT credentials on devices like AWS Greengrass.
+     * 3. IoT provider comes before profile/EKS/ECS/EC2 because when IoT config
+     *    is present, the device is specifically configured for IoT credentials.
+     *
+     * Configuration sources (in priority order):
+     * - AWS_IOT_* environment variables (explicit)
+     * - AWS_IOT_GREENGRASS_V2_CONFIG_PATH -> config.yaml (Greengrass V2)
+     * - GG_ROOT_CA_PATH fallback for CA certificate
+     */
+    sub_provider = flb_iot_provider_create(config, generator);
+    if (sub_provider) {
+        mk_list_add(&sub_provider->_head, &implementation->sub_providers);
+        flb_debug("[aws_credentials] Initialized IoT Provider in standard chain");
+    }
+
     flb_debug("[aws_credentials] creating profile %s provider", profile);
     sub_provider = flb_profile_provider_create(profile);
     if (sub_provider) {