AWS IoT Core credential provider requires private key to be sent

Question

I was reading through these docs and noticed that the steps to request a security token requires the client to send its private key to credential provider service.

```
curl --cert your certificate --key your device certificate key pair -H "x-amzn-iot-thingname: your thing name" --cacert AmazonRootCA1.pem https://your endpoint /role-aliases/your role alias/credentials
```

This is mentioned in these docs: 
https://docs.aws.amazon.com/iot/latest/developerguide/authorizing-direct-aws.html 
https://aws.amazon.com/blogs/security/how-to-eliminate-the-need-for-hardcoded-aws-credentials-in-devices-by-using-the-aws-iot-credentials-provider/

Looking at it superficially, I would think this is a security flaw and would defeat the purpose of using asymmetric keys in the first place.

Any help to help me understand what is going on is greatly appreciated.

Accepted Answer

Hi,

The private key is _never_ sent to the Credential Provider. It is used to establish a mutual ([mTLS](https://en.wikipedia.org/wiki/Mutual_authentication)) connection with the endpoint. That gives Credential Provider the ability to verify the presented X.509 certificates.

AWS IoT Core credential provider requires private key to be sent

관련 콘텐츠