Add KVSSINK_CA_CERT_PATH env variable (#1270)

david-molnar-oculai · web-flow · commit 9b304527469e · 2025-11-11T09:59:40.000-08:00
* Add KVSSINK_CA_CERT_PATH env variable to set libcurl certPath in kvssink plugin

* Add KVSSINK_CA_CERT_PATH configuration to README.md
diff --git a/README.md b/README.md
@@ -322,6 +322,22 @@ To see all `kvssink` parameters, see [AWS Docs - kvssink Paramters](https://docs
 
 For examples of common use cases, see [Example: Kinesis Video Streams Producer SDK GStreamer Plugin](https://docs.aws.amazon.com/kinesisvideostreams/latest/dg/examples-gstreamer-plugin.html).
 
+### Certificate configuration (`KVSSINK_CA_CERT_PATH`)
+
+`kvssink` uses **libcurl** to make HTTP requests to AWS. By default, **libcurl** relies on the system’s standard locations for SSL/TLS certificate verification. In some environments, you may need to override where **libcurl** looks for CA certificates. You can do this by setting the environment variable:
+
+```bash
+export KVSSINK_CA_CERT_PATH=/path/to/certs
+```
+
+The value can be either:
+
+- **A directory** containing certificate files, or  
+- **A single certificate file** (with `.pem` extension).
+
+This is particularly useful in restricted or read-only environments—such as certain camera systems that lack CA certificates.  
+In such cases, you can provide certificate bundle from this repo (`certs/cert.pem`).
+
 <br>
 
 ## Java Native Interface (JNI)
diff --git a/src/gstreamer/KvsSinkDeviceInfoProvider.cpp b/src/gstreamer/KvsSinkDeviceInfoProvider.cpp
@@ -1,4 +1,5 @@
 #include "KvsSinkDeviceInfoProvider.h"
+#include <cstdlib>
 
 using namespace com::amazonaws::kinesis::video;
 
@@ -11,3 +12,11 @@ KvsSinkDeviceInfoProvider::device_info_t KvsSinkDeviceInfoProvider::getDeviceInf
     device_info.clientInfo.serviceCallConnectionTimeout = static_cast<UINT64>(service_call_connection_timeout_sec_ * HUNDREDS_OF_NANOS_IN_A_SECOND);
     return device_info;
 }
+
+const std::string KvsSinkDeviceInfoProvider::getCertPath() {
+    static const std::string cert_path = []() {
+        const char* env_path = std::getenv("KVSSINK_CA_CERT_PATH");
+        return env_path != nullptr ? std::string(env_path) : "";
+    }();
+    return cert_path;
+}
diff --git a/src/gstreamer/KvsSinkDeviceInfoProvider.h b/src/gstreamer/KvsSinkDeviceInfoProvider.h
@@ -19,6 +19,7 @@ namespace com { namespace amazonaws { namespace kinesis { namespace video {
                 service_call_connection_timeout_sec_(service_call_connection_timeout_sec),
                 service_call_completion_timeout_sec_(service_call_completion_timeout_sec) {}
         device_info_t getDeviceInfo() override;
+        const std::string getCertPath() override;
     };
 }
 }

Original file line number	Diff line number	Diff line change
`@@ -19,6 +19,7 @@ namespace com { namespace amazonaws { namespace kinesis { namespace video {`
`19`	`19`	`service_call_connection_timeout_sec_(service_call_connection_timeout_sec),`
`20`	`20`	`service_call_completion_timeout_sec_(service_call_completion_timeout_sec) {}`
`21`	`21`	`device_info_t getDeviceInfo() override;`
	`22`	`+ const std::string getCertPath() override;`
`22`	`23`	`};`
`23`	`24`	`}`
`24`	`25`	`}`