From ec2321094a66f76f2a1e75f04bea5a0c15e4b6e7 Mon Sep 17 00:00:00 2001 From: Vera Xia Date: Tue, 23 Sep 2025 11:24:54 -0700 Subject: [PATCH 1/3] restore pubsub sample for connect one device service --- samples/node/pub_sub/README.md | 275 +++++++++++++++++++++++++++++ samples/node/pub_sub/index.ts | 198 +++++++++++++++++++++ samples/node/pub_sub/package.json | 27 +++ samples/node/pub_sub/tsconfig.json | 62 +++++++ 4 files changed, 562 insertions(+) create mode 100644 samples/node/pub_sub/README.md create mode 100644 samples/node/pub_sub/index.ts create mode 100644 samples/node/pub_sub/package.json create mode 100644 samples/node/pub_sub/tsconfig.json diff --git a/samples/node/pub_sub/README.md b/samples/node/pub_sub/README.md new file mode 100644 index 00000000..c052fc36 --- /dev/null +++ b/samples/node/pub_sub/README.md @@ -0,0 +1,275 @@ +# Node: MQTT5 PubSub + +[**Return to main sample list**](../../README.md) + +This sample uses the +[Message Broker](https://docs.aws.amazon.com/iot/latest/developerguide/iot-message-broker.html) +for AWS IoT to send and receive messages through an MQTT connection using MQTT5. + +MQTT5 introduces additional features and enhancements that improve the development experience with MQTT. You can read more about MQTT5 in the Java V2 SDK by checking out the [MQTT5 user guide](https://github.com/awslabs/aws-crt-nodejs/blob/main/MQTT5-UserGuide.md). + +Your IoT Core Thing's [Policy](https://docs.aws.amazon.com/iot/latest/developerguide/iot-policies.html) must provide privileges for this sample to connect, subscribe, publish, and receive. Below is a sample policy that can be used on your IoT Core Thing that will allow this sample to run as intended. + +
+(see sample policy) +
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "iot:Publish",
+        "iot:Receive"
+      ],
+      "Resource": [
+        "arn:aws:iot:region:account:topic/test/topic"
+      ]
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "iot:Subscribe"
+      ],
+      "Resource": [
+        "arn:aws:iot:region:account:topicfilter/test/topic"
+      ]
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "iot:Connect"
+      ],
+      "Resource": [
+        "arn:aws:iot:region:account:client/test-*"
+      ]
+    }
+  ]
+}
+
+ +Replace with the following with the data from your AWS account: +* ``: The AWS IoT Core region where you created your AWS IoT Core thing you wish to use with this sample. For example `us-east-1`. +* ``: Your AWS IoT Core account ID. This is the set of numbers in the top right next to your AWS account name when using the AWS IoT Core website. + +Note that in a real application, you may want to avoid the use of wildcards in your ClientID or use them selectively. Please follow best practices when working with AWS on production applications using the SDK. Also, for the purposes of this sample, please make sure your policy allows a client ID of `test-*` to connect or use `--client_id ` to send the client ID your policy supports. + +
+ +## How to run + +### Direct MQTT via mTLS + +To Run this sample using a direct MQTT connection with a key and certificate, go to the `node/pub_sub_mqtt5` folder and run the following commands: + +``` sh +npm install +node dist/index.js --endpoint --cert --key +``` + +You can also pass a Certificate Authority file (CA) if your certificate and key combination requires it: + +``` sh +npm install +node dist/index.js --endpoint --cert --key --ca_file +``` + +### Websockets + +To Run this sample using Websockets, go to the `node/pub_sub_mqtt5` folder and run the follow commands: + +``` sh +npm install +node dist/index.js --endpoint --region +``` + +Note that to run this sample using Websockets, you will need to set your AWS credentials in your environment variables or local files. See the [authorizing direct AWS](https://docs.aws.amazon.com/iot/latest/developerguide/authorizing-direct-aws.html) page for documentation on how to get the AWS credentials, which then you can set to the `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, and `AWS_SESSION_TOKEN` environment variables. + +## Alternate Connection Configuration Methods supported by AWS IoT Core +We strongly recommend using the AwsIotMqtt5ClientConfigBuilder class to configure MQTT5 clients when connecting to AWS IoT Core. The builder +simplifies configuration for all authentication methods supported by AWS IoT Core. This section shows samples for all authentication +possibilities. + +### Authentication Methods +* [Direct MQTT with X509-based mutual TLS](#direct-mqtt-with-x509-based-mutual-tls) +* [MQTT over Websockets with Sigv4 authentication](#mqtt-over-websockets-with-sigv4-authentication) +* [Direct MQTT with Custom Authentication](#direct-mqtt-with-custom-authentication) +* [Direct MQTT with PKCS11](#direct-mqtt-with-pkcs11-method) +* [Direct MQTT with PKCS12](#direct-mqtt-with-pkcs12-method) +### HTTP Proxy +* [Adding an HTTP Proxy](#adding-an-http-proxy) + +#### Direct MQTT with X509-based mutual TLS +For X509 based mutual TLS, you can create a client where the certificate and private key are configured by path: + +```typescript + let builder = AwsIotMqtt5ClientConfigBuilder.newDirectMqttBuilderWithMtlsFromPath( + , + , + + ); + + // other builder configuration + // ... + let client : Mqtt5Client = new Mqtt5Client(builder.build())); +``` + +You can also create a client where the certificate and private key are in memory: + +```typescript + let cert = fs.readFileSync(,'utf8'); + let key = fs.readFileSync(,'utf8'); + let builder = AwsIotMqtt5ClientConfigBuilder.newDirectMqttBuilderWithMtlsFromMemory( + , + cert, + key + ); + + // other builder configuration + // ... + let client : Mqtt5Client = new Mqtt5Client(builder.build()); +``` + +#### MQTT over Websockets with Sigv4 authentication +Sigv4-based authentication requires a credentials provider capable of sourcing valid AWS credentials. Sourced credentials +will sign the websocket upgrade request made by the client while connecting. The default credentials provider chain supported by +the SDK is capable of resolving credentials in a variety of environments according to a chain of priorities: + +``` + Environment -> Profile (local file system) -> STS Web Identity -> IMDS (ec2) or ECS +``` + +If the default credentials provider chain and built-in AWS region extraction logic are sufficient, you do not need to specify +any additional configuration: + +```typescript + let builder = AwsIotMqtt5ClientConfigBuilder.newWebsocketMqttBuilderWithSigv4Auth( + + ); + // other builder configuration + // ... + let client : Mqtt5Client = new Mqtt5Client(builder.build()); +``` + +Alternatively, if you're connecting to a special region for which standard pattern matching does not work, or if you +need a specific credentials provider, you can specify advanced websocket configuration options. + +```typescript + // sourcing credentials from the Cognito service in this example + let cognitoConfig: CognitoCredentialsProviderConfig = { + endpoint: "", + identity: "" + }; + + let overrideProvider: CredentialsProvider = AwsCredentialsProvider.newCognito(cognitoConfig); + + let wsConfig : WebsocketSigv4Config = { + credentialsProvider: overrideProvider, + region: "" + }; + + let builder = AwsIotMqtt5ClientConfigBuilder.newWebsocketMqttBuilderWithSigv4Auth( + "", + wsConfig + ); + // other builder configuration + // ... + let client : Mqtt5Client = new Mqtt5Client(builder.build()); +``` + +#### Direct MQTT with Custom Authentication +AWS IoT Core Custom Authentication allows you to use a lambda to gate access to IoT Core resources. For this authentication method, +you must supply an additional configuration structure containing fields relevant to AWS IoT Core Custom Authentication. + +If your custom authenticator does not use signing, you don't specify anything related to the token signature: + +```typescript + let customAuthConfig : MqttConnectCustomAuthConfig = { + authorizerName: "", + username: "", + password: + }; + let builder = AwsIotMqtt5ClientConfigBuilder.newDirectMqttBuilderWithCustomAuth( + "", + customAuthConfig + ); + let client : Mqtt5Client = new mqtt5.Mqtt5Client(builder.build()); +``` + +If your custom authorizer uses signing, you must specify the three signed token properties as well. The token signature must be +the URI-encoding of the base64 encoding of the digital signature of the token value via the private key associated with the public key +that was registered with the custom authorizer. It is your responsibility to URI-encode the token signature. + +```typescript + let customAuthConfig : MqttConnectCustomAuthConfig = { + authorizerName: "", + username: "", + password: , + tokenKeyName: "", + tokenValue: "", + tokenSignature: "" + }; + let builder = AwsIotMqtt5ClientConfigBuilder.newDirectMqttBuilderWithCustomAuth( + "", + customAuthConfig + ); + let client : Mqtt5Client = new mqtt5.Mqtt5Client(builder.build()); +``` + +In both cases, the builder will construct a final CONNECT packet username field value for you based on the values configured. Do not add the +token-signing fields to the value of the username that you assign within the custom authentication config structure. Similarly, do not +add any custom authentication related values to the username in the CONNECT configuration optionally attached to the client configuration. +The builder will do everything for you. + +#### Direct MQTT with PKCS11 Method + +A MQTT5 direct connection can be made using a PKCS11 device rather than using a PEM encoded private key, the private key for mutual TLS is stored on a PKCS#11 compatible smart card or Hardware Security Module (HSM). To create a MQTT5 builder configured for this connection, see the following code: + +```typescript + let pkcs11Options : Pkcs11Options = { + pkcs11_lib: "", + user_pin: "", + slot_id: "", + token_label: "", + private_key_object_label: "", + cert_file_path: "", + cert_file_contents: "" + }; + let builder = AwsIotMqtt5ClientConfigBuilder.newDirectMqttBuilderWithMtlsFromPkcs11( + "", + pkcs11Options + ); + let client : Mqtt5Client = new mqtt5.Mqtt5Client(builder.build()); +``` + +Note: Currently, TLS integration with PKCS#11 is only available on Unix devices. + +#### Direct MQTT with PKCS12 Method + +A MQTT5 direct connection can be made using a PKCS12 file rather than using a PEM encoded private key. To create a MQTT5 builder configured for this connection, see the following code: + +```typescript + let builder = AwsIotMqtt5ClientConfigBuilder.newDirectMqttBuilderWithMtlsFromPkcs12( + "", + "", + "" + ); + let client : Mqtt5Client = new mqtt5.Mqtt5Client(builder.build()); +``` + +Note: Currently, TLS integration with PKCS#12 is only available on MacOS devices. + +### Adding An HTTP Proxy +No matter what your connection transport or authentication method is, you may connect through an HTTP proxy +by applying proxy configuration to the builder: + +```typescript + let builder = AwsIoTMqtt5ClientConfigBuilder.(...); + let proxyOptions : HttpProxyOptions = new HttpProxyOptions("", ); + builder.withHttpProxyOptions(proxyOptions); + + let client : Mqtt5Client = new Mqtt5Client(builder.build()); +``` + +SDK Proxy support also includes support for basic authentication and TLS-to-proxy. SDK proxy support does not include any additional +proxy authentication methods (kerberos, NTLM, etc...) nor does it include non-HTTP proxies (SOCKS5, for example). \ No newline at end of file diff --git a/samples/node/pub_sub/index.ts b/samples/node/pub_sub/index.ts new file mode 100644 index 00000000..1aa1127e --- /dev/null +++ b/samples/node/pub_sub/index.ts @@ -0,0 +1,198 @@ +/** + * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. + * SPDX-License-Identifier: Apache-2.0. + */ + +import {mqtt5, iot} from "aws-iot-device-sdk-v2"; +import {ICrtError} from "aws-crt"; +import {once} from "events"; +import { toUtf8 } from '@aws-sdk/util-utf8-browser'; + +type Args = { [index: string]: any }; + +const yargs = require('yargs'); + +yargs.command('*', false, (yargs: any) => { + yargs.option('endpoint', { + alias: 'e', + description: 'Your AWS IoT custom endpoint, not including a port.', + type: 'string', + required: true + }) + .option('cert', { + alias: 'c', + description: ': File path to a PEM encoded certificate to use with mTLS.', + type: 'string', + required: false + }) + .option('key', { + alias: 'k', + description: ': File path to a PEM encoded private key that matches cert.', + type: 'string', + required: false + }) + .option('region', { + alias: 'r', + description: 'AWS region to establish a websocket connection to. Only required if using websockets and a non-standard endpoint.', + type: 'string', + required: false + }) + .option('client_id', { + alias: 'C', + description: 'Client ID for MQTT connection.', + type: 'string', + required: false + }) + .option('ca_file', { + description: ': File path to a Root CA certificate file in PEM format (optional, system trust store used by default).', + type: 'string', + required: false + }) +}, main).parse(); + +function createClientConfig(args : any) : mqtt5.Mqtt5ClientConfig { + let builder : iot.AwsIotMqtt5ClientConfigBuilder | undefined = undefined; + + if (args.key && args.cert) { + builder = iot.AwsIotMqtt5ClientConfigBuilder.newDirectMqttBuilderWithMtlsFromPath( + args.endpoint, + args.cert, + args.key + ); + } else { + let wsOptions : iot.WebsocketSigv4Config | undefined = undefined; + if (args.region) { + wsOptions = { region: args.region }; + } + + builder = iot.AwsIotMqtt5ClientConfigBuilder.newWebsocketMqttBuilderWithSigv4Auth( + args.endpoint, + // the region extraction logic does not work for gamma endpoint formats so pass in region manually + wsOptions + ); + } + + + if (args.ca_file) { + builder.withCertificateAuthorityFromPath(undefined, args.ca_file); + } + + builder.withConnectProperties({ + clientId: args.client_id || "test-" + Math.floor(Math.random() * 100000000), + keepAliveIntervalSeconds: 1200 + }); + + return builder.build(); +} + +function createClient(args: any) : mqtt5.Mqtt5Client { + + let config : mqtt5.Mqtt5ClientConfig = createClientConfig(args); + + console.log("Creating client for " + config.hostName); + let client : mqtt5.Mqtt5Client = new mqtt5.Mqtt5Client(config); + + client.on('error', (error: ICrtError) => { + console.log("Error event: " + error.toString()); + }); + + client.on("messageReceived",(eventData: mqtt5.MessageReceivedEvent) : void => { + console.log("Message Received event: " + JSON.stringify(eventData.message)); + if (eventData.message.payload) { + console.log(" with payload: " + toUtf8(new Uint8Array(eventData.message.payload as ArrayBuffer))); + } + } ); + + client.on('attemptingConnect', (eventData: mqtt5.AttemptingConnectEvent) => { + console.log("Attempting Connect event"); + }); + + client.on('connectionSuccess', (eventData: mqtt5.ConnectionSuccessEvent) => { + console.log("Connection Success event"); + console.log ("Connack: " + JSON.stringify(eventData.connack)); + console.log ("Settings: " + JSON.stringify(eventData.settings)); + }); + + client.on('connectionFailure', (eventData: mqtt5.ConnectionFailureEvent) => { + console.log("Connection failure event: " + eventData.error.toString()); + if (eventData.connack) { + console.log ("Connack: " + JSON.stringify(eventData.connack)); + } + }); + + client.on('disconnection', (eventData: mqtt5.DisconnectionEvent) => { + console.log("Disconnection event: " + eventData.error.toString()); + if (eventData.disconnect !== undefined) { + console.log('Disconnect packet: ' + JSON.stringify(eventData.disconnect)); + } + }); + + client.on('stopped', (eventData: mqtt5.StoppedEvent) => { + console.log("Stopped event"); + }); + + return client; +} + +async function runSample(args : any) { + + let client : mqtt5.Mqtt5Client = createClient(args); + + const connectionSuccess = once(client, "connectionSuccess"); + + client.start(); + + await connectionSuccess; + + const suback = await client.subscribe({ + subscriptions: [ + { qos: mqtt5.QoS.AtLeastOnce, topicFilter: "hello/world/qos1" }, + { qos: mqtt5.QoS.AtMostOnce, topicFilter: "hello/world/qos0" } + ] + }); + console.log('Suback result: ' + JSON.stringify(suback)); + + const qos0PublishResult = await client.publish({ + qos: mqtt5.QoS.AtMostOnce, + topicName: "hello/world/qos0", + payload: JSON.stringify("This is a qos 0 payload"), + userProperties: [ + {name: "test", value: "userproperty"} + ] + }); + console.log('QoS 0 Publish result: ' + JSON.stringify(qos0PublishResult)); + + const qos1PublishResult = await client.publish({ + qos: mqtt5.QoS.AtLeastOnce, + topicName: "hello/world/qos1", + payload: JSON.stringify("This is a qos 1 payload") + }); + console.log('QoS 1 Publish result: ' + JSON.stringify(qos1PublishResult)); + + let unsuback = await client.unsubscribe({ + topicFilters: [ + "hello/world/qos1" + ] + }); + console.log('Unsuback result: ' + JSON.stringify(unsuback)); + + const stopped = once(client, "stopped"); + + client.stop(); + + await stopped; + + client.close(); +} + +async function main(args : Args){ + // make it wait as long as possible once the promise completes we'll turn it off. + const timer = setTimeout(() => {}, 2147483647); + + await runSample(args); + + clearTimeout(timer); + + process.exit(0); +} + diff --git a/samples/node/pub_sub/package.json b/samples/node/pub_sub/package.json new file mode 100644 index 00000000..acd59071 --- /dev/null +++ b/samples/node/pub_sub/package.json @@ -0,0 +1,27 @@ +{ + "name": "pub-sub-mqtt5", + "version": "1.0.0", + "description": "NodeJS IoT SDK v2 MQTT5 Pub Sub Sample", + "homepage": "https://github.com/aws/aws-iot-device-sdk-js-v2", + "repository": { + "type": "git", + "url": "git+https://github.com/aws/aws-iot-device-sdk-js-v2.git" + }, + "contributors": [ + "AWS SDK Common Runtime Team " + ], + "license": "Apache-2.0", + "main": "./dist/index.js", + "scripts": { + "tsc": "tsc", + "prepare": "npm run tsc" + }, + "devDependencies": { + "@types/node": "^10.17.50", + "typescript": "^4.7.4" + }, + "dependencies": { + "aws-iot-device-sdk-v2": "file:../../..", + "yargs": "^16.2.0" + } +} diff --git a/samples/node/pub_sub/tsconfig.json b/samples/node/pub_sub/tsconfig.json new file mode 100644 index 00000000..92617173 --- /dev/null +++ b/samples/node/pub_sub/tsconfig.json @@ -0,0 +1,62 @@ +{ + "compilerOptions": { + /* Basic Options */ + "target": "es6", /* Specify ECMAScript target version: 'ES3' (default), 'ES5', 'ES2015', 'ES2016', 'ES2017','ES2018' or 'ESNEXT'. */ + "module": "commonjs", /* Specify module code generation: 'none', 'commonjs', 'amd', 'system', 'umd', 'es2015', or 'ESNext'. */ + // "lib": [], /* Specify library files to be included in the compilation. */ + // "allowJs": true, /* Allow javascript files to be compiled. */ + // "checkJs": true, /* Report errors in .js files. */ + // "jsx": "preserve", /* Specify JSX code generation: 'preserve', 'react-native', or 'react'. */ + "declaration": true, /* Generates corresponding '.d.ts' file. */ + // "declarationMap": true, /* Generates a sourcemap for each corresponding '.d.ts' file. */ + "sourceMap": true, /* Generates corresponding '.map' file. */ + // "outFile": "./", /* Concatenate and emit output to single file. */ + "outDir": "./dist", /* Redirect output structure to the directory. */ + // "rootDir": "./", /* Specify the root directory of input files. Use to control the output directory structure with --outDir. */ + // "composite": true, /* Enable project compilation */ + // "removeComments": false, /* Do not emit comments to output. */ + // "noEmit": true, /* Do not emit outputs. */ + // "importHelpers": true, /* Import emit helpers from 'tslib'. */ + // "downlevelIteration": true, /* Provide full support for iterables in 'for-of', spread, and destructuring when targeting 'ES5' or 'ES3'. */ + // "isolatedModules": true, /* Transpile each file as a separate module (similar to 'ts.transpileModule'). */ + /* Strict Type-Checking Options */ + "strict": true, /* Enable all strict type-checking options. */ + "noImplicitAny": true, /* Raise error on expressions and declarations with an implied 'any' type. */ + "strictNullChecks": true, /* Enable strict null checks. */ + "strictFunctionTypes": true, /* Enable strict checking of function types. */ + "strictBindCallApply": true, /* Enable strict 'bind', 'call', and 'apply' methods on functions. */ + "strictPropertyInitialization": true, /* Enable strict checking of property initialization in classes. */ + "noImplicitThis": true, /* Raise error on 'this' expressions with an implied 'any' type. */ + "alwaysStrict": true, /* Parse in strict mode and emit "use strict" for each source file. */ + /* Additional Checks */ + "noUnusedLocals": true, /* Report errors on unused locals. */ + // "noUnusedParameters": true, /* Report errors on unused parameters. */ + "noImplicitReturns": true, /* Report error when not all code paths in function return a value. */ + // "noFallthroughCasesInSwitch": true, /* Report errors for fallthrough cases in switch statement. */ + /* Module Resolution Options */ + // "moduleResolution": "node", /* Specify module resolution strategy: 'node' (Node.js) or 'classic' (TypeScript pre-1.6). */ + // "baseUrl": "./", /* Base directory to resolve non-absolute module names. */ + // "paths": {}, /* A series of entries which re-map imports to lookup locations relative to the 'baseUrl'. */ + // "rootDirs": [], /* List of root folders whose combined content represents the structure of the project at runtime. */ + // "typeRoots": [], /* List of folders to include type definitions from. */ + // "types": [], /* Type declaration files to be included in compilation. */ + // "allowSyntheticDefaultImports": true, /* Allow default imports from modules with no default export. This does not affect code emit, just typechecking. */ + "esModuleInterop": true /* Enables emit interoperability between CommonJS and ES Modules via creation of namespace objects for all imports. Implies 'allowSyntheticDefaultImports'. */ + // "preserveSymlinks": true, /* Do not resolve the real path of symlinks. */ + /* Source Map Options */ + // "sourceRoot": "", /* Specify the location where debugger should locate TypeScript files instead of source locations. */ + // "mapRoot": "", /* Specify the location where debugger should locate map files instead of generated locations. */ + // "inlineSourceMap": true, /* Emit a single file with source maps instead of having a separate file. */ + // "inlineSources": true, /* Emit the source alongside the sourcemaps within a single file; requires '--inlineSourceMap' or '--sourceMap' to be set. */ + /* Experimental Options */ + // "experimentalDecorators": true, /* Enables experimental support for ES7 decorators. */ + // "emitDecoratorMetadata": true, /* Enables experimental support for emitting type metadata for decorators. */ + }, + "include": [ + "*.ts" + ], + "exclude": [ + "node_modules", + "dist" + ] +} \ No newline at end of file From 6183ba9968641f420db369914f2a0b85ed00f2c4 Mon Sep 17 00:00:00 2001 From: Vera Xia Date: Tue, 23 Sep 2025 14:34:09 -0700 Subject: [PATCH 2/3] kick ci From d7e605bf0d8722aba484f1af00273f9d5122f2d0 Mon Sep 17 00:00:00 2001 From: Vera Xia Date: Tue, 23 Sep 2025 15:17:47 -0700 Subject: [PATCH 3/3] remove the smoke test --- codebuild/samples/linux-smoke-tests.yml | 1 - codebuild/samples/setup-linux.sh | 15 --------------- 2 files changed, 16 deletions(-) delete mode 100755 codebuild/samples/setup-linux.sh diff --git a/codebuild/samples/linux-smoke-tests.yml b/codebuild/samples/linux-smoke-tests.yml index 43cf9684..ffdcf0dc 100644 --- a/codebuild/samples/linux-smoke-tests.yml +++ b/codebuild/samples/linux-smoke-tests.yml @@ -14,7 +14,6 @@ phases: build: commands: - echo Build started on `date` - - $CODEBUILD_SRC_DIR/codebuild/samples/setup-linux.sh post_build: commands: - echo Build completed on `date` diff --git a/codebuild/samples/setup-linux.sh b/codebuild/samples/setup-linux.sh deleted file mode 100755 index 6dbcf51f..00000000 --- a/codebuild/samples/setup-linux.sh +++ /dev/null @@ -1,15 +0,0 @@ -#!/bin/bash - -set -e -set -o pipefail - -env - -# build package -cd $CODEBUILD_SRC_DIR - -ulimit -c unlimited -npm install --unsafe-perm - -cert=$(aws secretsmanager get-secret-value --secret-id "ci/CodeBuild/cert" --query "SecretString" | cut -f2 -d":" | cut -f2 -d\") && echo -e "$cert" > /tmp/certificate.pem -key=$(aws secretsmanager get-secret-value --secret-id "ci/CodeBuild/key" --query "SecretString" | cut -f2 -d":" | cut -f2 -d\") && echo -e "$key" > /tmp/privatekey.pem