{"id":21354904,"url":"https://github.com/salrashid123/aws-tpm-process-credential","last_synced_at":"2025-07-19T16:36:15.967Z","repository":{"id":204463595,"uuid":"711916183","full_name":"salrashid123/aws-tpm-process-credential","owner":"salrashid123","description":"AWS Process Credentials for Trusted Platform Module (TPM)","archived":false,"fork":false,"pushed_at":"2025-03-24T13:49:35.000Z","size":136,"stargazers_count":3,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-04-12T21:46:43.136Z","etag":null,"topics":["authenticaton","aws","hsm","tpm2","trusted-platform-module"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/salrashid123.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-10-30T12:39:56.000Z","updated_at":"2025-03-24T13:49:25.000Z","dependencies_parsed_at":"2024-06-07T13:27:47.986Z","dependency_job_id":"6039551f-efa3-447c-8182-86e1844682ae","html_url":"https://github.com/salrashid123/aws-tpm-process-credential","commit_stats":null,"previous_names":["salrashid123/aws-tpm-process-credential"],"tags_count":9,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/salrashid123%2Faws-tpm-process-credential","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/salrashid123%2Faws-tpm-process-credential/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/salrashid123%2Faws-tpm-process-credential/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/salrashid123%2Faws-tpm-process-credential/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/salrashid123","download_url":"https://codeload.github.com/salrashid123/aws-tpm-process-credential/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248637832,"owners_count":21137538,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["authenticaton","aws","hsm","tpm2","trusted-platform-module"],"created_at":"2024-11-22T04:15:17.237Z","updated_at":"2025-07-19T16:36:15.950Z","avatar_url":"https://github.com/salrashid123.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"### AWS Process Credentials for Trusted Platform Module (TPM)\n\nAWS [Process Credential](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sourcing-external.html) source where the `AWS_SECRET_ACCESS_KEY` is embedded into a `Trusted Platform Module (TPM)`.\n\nUse the binary as a way to use aws cli and any sdk library where after setup, you don't actually need to know the _source_ AWS_SECRET_ACCESS_KEY. \n\nTo use this, you need to save the `AWS_SECRET_ACCESS_KEY` into the TPM:\n\n1. Directly load `AWS_SECRET_ACCESS_KEY` \n\n   With this, you \"load\" the `AWS_SECRET_ACCESS_KEY` into a TPM's [persistentHandle](https://trustedcomputinggroup.org/wp-content/uploads/RegistryOfReservedTPM2HandlesAndLocalities_v1p1_pub.pdf) or a TPM encrypted PEM  that it can only be used on that TPM alone. \n\n2. Securely Transfer `AWS_SECRET_ACCESS_KEY` from one hose to another\n\n   This flow is not shown in this repo but is describe in:  [Duplicate an externally loaded HMAC key](https://github.com/salrashid123/tpm2/tree/master/tpm2_duplicate#duplicate-an-externally-loaded-hmac-key)\n\n\nThis repo shows how to do `1`\n\nIf you're curious how all this works, see\n\n- [AWS Credentials for Hardware Security Modules and TPM based AWS_SECRET_ACCESS_KEY](https://github.com/salrashid123/aws_hmac)\n\n---\n\n### Configuration Options\n\nYou can set the following options on usage:\n\n| Option | Description |\n|:------------|-------------|\n| **`--tpm-path`** | path to the TPM device (default: `/dev/tpm0`) |\n| **`--aws-access-key-id`** | (required) The value for `AWS_ACCESS_KEY_ID`  |\n| **`--persistentHandle`** | Persistent Handle for the HMAC key (default: `0x81008003`) |\n| **`--credential-file`** | Path to the TPM HMAC credential file (default: ``) |\n| **`--keypass`** | Passphrase for the key handle (will use TPM_KEY_AUTH env var) |\n| **`--parentPass`** | Passphrase for the key handle (will use TPM_KEY_AUTH env var) |\n| **`--pcrs`** | PCR Bound value (increasing order, comma separated) |\n| **`--aws-arn`** | AWS ARN value to use (default: ``) |\n| **`--aws-session-name`** | Session Name to use (default: ``) |\n| **`--aws-region`** | AWS Region to use (default: ``) |\n| **`--assumeRole`** | Boolean flag to switch the token type returned (default: `false`) |\n| **`--duration`** | Lifetime for the AWS token (default: `3600s`) |\n| **`--timeout`** | Timeout waiting for HMAC signature from the TPM (default: `2s`) |\n| **`--tpm-session-encrypt-with-name`** | hex encoded TPM object 'name' to use with an encrypted session |\n\n\n### Setup\n\nOn a system which has the TPM, [install go](https://go.dev/doc/install), then run the following which seals the key to `persistentHandle`\n\n```bash\n## add the AWS4 prefix to the raw hmac secret access key prior to import\nexport secret=\"AWS4$AWS_SECRET_ACCESS_KEY\"\necho -n $secret \u003e hmac.key\nhexkey=$(xxd -p -c 256 \u003c hmac.key)\n\n## create the primary\n### the specific primary here happens to be the h2 template described later on but you are free to define any template and policy\n### this is the \"H2\" profile from https://www.hansenpartnership.com/draft-bottomley-tpm2-keys.html#name-parent\nprintf '\\x00\\x00' \u003e unique.dat\ntpm2_createprimary -C o -G ecc  -g sha256  -c primary.ctx -a \"fixedtpm|fixedparent|sensitivedataorigin|userwithauth|noda|restricted|decrypt\" -u unique.dat\n\ntpm2_import -C primary.ctx -G hmac -i hmac.key -u hmac.pub -r hmac.priv \ntpm2_flushcontext -t \u0026\u0026 tpm2_flushcontext -s \u0026\u0026 tpm2_flushcontext -l\ntpm2_load -C primary.ctx -u hmac.pub -r hmac.priv -c hmac.ctx \n\n## either create a persistent handle or encode into a PEM file\n# tpm2_evictcontrol -C o -c hmac.ctx 0x81010002\n\ntpm2_encodeobject -C primary.ctx -u hmac.pub -r  hmac.priv -o private.pem\n\n## or golang:\n# $ git clone https://github.com/salrashid123/aws_hmac.git\n# $ cd aws_hmac/example/tpm\n# $ go run create/main.go --accessKeyID $AWS_ACCESS_KEY_ID \\\n#    --secretAccessKey $AWS_SECRET_ACCESS_KEY \\\n#    --persistentHandle=0x81010002 --out=private.pem\n```\n\nAt this point the hmac key is saved to *both* a persistent handle and an encrypted representation as PEM (see [tpm2 primary key for (eg TCG EK Credential Profile H-2 profile](https://gist.github.com/salrashid123/9822b151ebb66f4083c5f71fd4cdbe40))\n\n```bash\n-----BEGIN TSS2 PRIVATE KEY-----\nMIHyBgZngQUKAQMCBQCAAAAABDIAMAAIAAsABABSAAAABQALACBkiLm1axCgdEJd\nx2/m1J3k070HR2AY7fPXJ+ebWLciPQSBrACqACBcyk0W0lW71RgcPEeFJmOCmmOZ\nWw98+HwktElq9tPMWgAQRKX1ES2lUlg1h3psbVKbI38kuUWjFu1/27R/8r4cnGHx\nK/2tVabz5qHl5T7UvnBJ8Cka1joTVmVugt9aNqHSlgovvnjwxWtok4rgyHPxPjly\nCqYYr6ZsALXv/mmvs6dyeuz3Xo9YPFmzTxnvEfqZHhpNAOe8fB8HzouLczT2vRLl\nnwb+VkA=\n-----END TSS2 PRIVATE KEY-----\n```\n\nYou can use either way.  With files you can dynamically specify the credentials to use while with persistent handles, you need to load them first and have limited ability capacity.\n\nTo run this directly\n\n```bash\n\ngo build -o aws-tpm-process-credential cmd/main.go\n\n## using persistent handle\n./aws-tpm-process-credential  --aws-region=us-east-1 \\\n    --aws-session-name=mysession --assumeRole=false --persistentHandle=0x81010002 \\\n    --aws-access-key-id=$AWS_ACCESS_KEY_ID  --duration=3600\n\n# using encrypted file\n./aws-tpm-process-credential  --aws-region=us-east-1 \\\n    --aws-session-name=mysession --assumeRole=false --credential-file=/path/to/private.pem \\\n    --aws-access-key-id=$AWS_ACCESS_KEY_ID  --duration=3600    \n```\n\n### Configure AWS Process Credential Profiles\n\nTo test the process credential API and persistent handle, first download `aws-tpm-process-credential` from the Releases section or build it on your own\n\nThis repo will assume a role  `\"arn:aws:iam::291738886548:user/svcacct1\"` has access to AssumeRole on `arn:aws:iam::291738886548:role/gcpsts` and both the user and role has access to an s3 bucket\n\n![images/role_trust.png](images/role_trust.png)\n\n\nEdit  `~/.aws/config` and set the process credential parameters \n\nif you want to use `persistentHandle`:\n\n```conf\n[profile sessiontoken]\ncredential_process = /path/to/aws-tpm-process-credential  --aws-region=us-east-1 --aws-session-name=mysession --assumeRole=false --persistentHandle=0x81010002 --aws-access-key-id=AKIAUH3H6EGK-redacted  --duration=3600\n\n[profile assumerole]\ncredential_process = /path/to/aws-tpm-process-credential  --aws-arn=\"arn:aws:iam::291738886548:role/gcpsts\" --aws-region=us-east-1 --aws-session-name=mysession --assumeRole=true --persistentHandle=0x81010002 --aws-access-key-id=AKIAUH3H6EGK-redacted  --duration=3600 \n```\n\nor credential file:\n\n```conf\n[profile sessiontokenfile]\ncredential_process = /path/to/aws-tpm-process-credential  --aws-region=us-east-1 --aws-session-name=mysession --assumeRole=false --credential-file=/path/to/private.pem --aws-access-key-id=AKIAUH3H6EGK-redacted  --duration=3600\n\n[profile assumerolefile]\ncredential_process = /path/to/aws-tpm-process-credential  --aws-arn=\"arn:aws:iam::291738886548:role/gcpsts\" --aws-region=us-east-1 --aws-session-name=mysession --assumeRole=true --credential-file=/path/to/private.pem --aws-access-key-id=AKIAUH3H6EGK-redacted  --duration=3600 \n```\n\n#### Verify AssumeRole\n\n\nTo verify `AssumeRole` first just run `aws-tpm-process-credential` directly\n\n```bash\n$ /path/to/aws-tpm-process-credential \\\n   --aws-arn=\"arn:aws:iam::291738886548:role/gcpsts\" --aws-region=us-east-1 --aws-session-name=mysession --assumeRole=true --persistentHandle=0x81010002 --aws-access-key-id=$AWS_ACCESS_KEY_ID  --duration=3600 \n\n{\n  \"Version\": 1,\n  \"AccessKeyId\": \"ASIAUH3H6EGKIA6WLCJG\",\n  \"SecretAccessKey\": \"h7anawgBS5xNPlUcJ2P7x9YED5iltredacted\",\n  \"SessionToken\": \"FwoGZXIvYXdzEKz//////////wEaDK+OR7VuQewac2+redacted\",\n  \"Expiration\": \"2023-10-29T19:33:27+0000\"\n}\n```\n\nif that works, verify the aws cli\n\n```bash\n$ aws sts get-caller-identity  --profile assumerole\n{\n    \"UserId\": \"AROAUH3H6EGKHZUSB4BC5:mysession\",\n    \"Account\": \"291738886548\",\n    \"Arn\": \"arn:aws:sts::291738886548:assumed-role/gcpsts/mysession\"\n}\n\n# then finally s3\n$  aws s3 ls mineral-minutia --region us-east-2 --profile sessiontoken\n2020-08-10 02:52:08        411 README.md\n2020-11-03 00:16:00          3 foo.txt\n```\n\n#### Verify SessionToken\n\nTo verify the session token, first just run `aws-tpm-process-credential` directly\n\n```bash\n$  sudo /path/to/aws-tpm-process-credential \\\n    --aws-region=us-east-1 --aws-session-name=mysession --assumeRole=false --persistentHandle=0x81010002 --aws-access-key-id=$AWS_ACCESS_KEY_ID  --duration=3600\n\n{\n  \"Version\": 1,\n  \"AccessKeyId\": \"ASIAUH3H6EGKFOX7G5XU\",\n  \"SecretAccessKey\": \"lwfjGGh41y/3RI0HUlYJFCK5LWxredacted\",\n  \"SessionToken\": \"FwoGZXIvYXdzEKv//////////wEaDOrG0ZqGoVCnU89juyKBredacted\",\n  \"Expiration\": \"2023-10-29T18:59:58+0000\"\n}\n```\n\nif that works, verify the aws cli\n\n```bash\n$ aws sts get-caller-identity  --profile sessiontoken\n{\n    \"UserId\": \"AIDAUH3H6EGKDO36JYJH3\",\n    \"Account\": \"291738886548\",\n    \"Arn\": \"arn:aws:iam::291738886548:user/svcacct1\"\n}\n\n# then finally s3\n$ aws s3 ls mineral-minutia --region us-east-2 --profile sessiontoken\n2020-08-10 02:52:08        411 README.md\n2020-11-03 00:16:00          3 foo.txt\n```\n\n### Testing\n\n```bash\nexport AWS_ACCESS_KEY_ID=redacted\nexport AWS_SECRET_ACCESS_KEY=redacted\nexport AWS_ROLE_SESSION_NAME=mysession\nexport AWS_DEFAULT_REGION=us-east-1\nexport AWS_ROLE_ARN=arn:aws:iam::291738886548:role/cicdrole\nexport AWS_ACCOUNT_ARN=arn:aws:iam::291738886548:user/testservice\nexport AWS_ROLE_SESSION_ARN=arn:aws:sts::291738886548:assumed-role/cicdrole/mysession\n\ngo test -v\n```\n\n---\n\n### Encrypted KeyFile format\n\nThe TPM encrypted file is not decodable in userspace (it must be used inside the TPM by the TPM).  The default format used here is compatible with openssl as described in [ASN.1 Specification for TPM 2.0 Key Files](https://www.hansenpartnership.com/draft-bottomley-tpm2-keys.html#name-parent)  where the template h-2 is described in pg 43 [TCG EK Credential Profile](https://trustedcomputinggroup.org/wp-content/uploads/TCG_IWG_EKCredentialProfile_v2p4_r2_10feb2021.pdf)\n\nOf course the encrypted key can **ONLY** be used ont that TPM.\n\n\n### PCR Policy\n\nIf you want to setup access to the key using a TPM PCR policy (eg, pcr values you specified during key creation must be met during signing), then configure it first during key creation:\n\n\nIn the following PCR 23 is used:\n\n```bash\nexport secret=\"AWS4$AWS_SECRET_ACCESS_KEY\"\necho -n $secret \u003e hmac.key\nhexkey=$(xxd -p -c 256 \u003c hmac.key)\n\ntpm2_startauthsession -S session.dat\ntpm2_policypcr -S session.dat -l sha256:23  -L policy.dat\ntpm2_flushcontext session.dat\n\nprintf '\\x00\\x00' \u003e unique.dat\ntpm2_createprimary -C o -G ecc  -g sha256  -c primary.ctx -a \"fixedtpm|fixedparent|sensitivedataorigin|userwithauth|noda|restricted|decrypt\" -u unique.dat\n\ntpm2_import -C primary.ctx -G hmac -i hmac.key -u hmac.pub -r hmac.priv -L policy.dat\ntpm2_load -C primary.ctx -u hmac.pub -r hmac.priv -c hmac.ctx \n\n## either use persistent handle or PEM file\ntpm2_evictcontrol -C o -c hmac.ctx 0x81010003\ntpm2_encodeobject -C primary.ctx -u hmac.pub -r  hmac.priv -o private.pem\n```\n\nAnd then again by passing through the `--pcrs=` parameter\n\n```bash\n./aws-tpm-process-credential \\\n --aws-arn=\"arn:aws:iam::291738886548:role/gcpsts\" --aws-region=us-east-1 \\\n   --aws-session-name=mysession --assumeRole=true --persistentHandle=0x81010003 \\\n    --aws-access-key-id=$AWS_ACCESS_KEY_ID  --duration=3600 --pcrs=23\n```\n\nofcourse if you alter the value, the key can't be used for signing again\n\n```bash\n$ tpm2_pcrread sha256:23\n  sha256:\n    23: 0xC78009FDF07FC56A11F122370658A353AAA542ED63E44C4BC15FF4CD105AB33C\n\n$ tpm2_pcrextend 23:sha256=0xC78009FDF07FC56A11F122370658A353AAA542ED63E44C4BC15FF4CD105AB33C\n```\n\n### Password Policy\n\nIf you want to setup access to the key using a TPM Password policy (eg, you have to supply a passphrase first), then configure it first during key creation:\n\n```bash\nexport passphrase=\"testpwd\"\nexport secret=\"AWS4$AWS_SECRET_ACCESS_KEY\"\necho -n $secret \u003e hmac.key\nhexkey=$(xxd -p -c 256 \u003c hmac.key)\n\nprintf '\\x00\\x00' \u003e unique.dat\ntpm2_createprimary -C o -G ecc  -g sha256  -c primary.ctx -a \"fixedtpm|fixedparent|sensitivedataorigin|userwithauth|noda|restricted|decrypt\" -u unique.dat\n\ntpm2_import -C primary.ctx -G hmac -i hmac.key -u hmac.pub -r hmac.priv -p $passphrase\ntpm2_load -C primary.ctx -u hmac.pub -r hmac.priv -c hmac.ctx \n\n## either use persistent handle or PEM file\ntpm2_evictcontrol -C o -c hmac.ctx 0x81010004\ntpm2_encodeobject -C primary.ctx -u hmac.pub -r  hmac.priv -o private.pem\n```\n\nAnd then again by passing through the `--keyPass=` parameter\n\n```bash\n./aws-tpm-process-credential \\\n --aws-arn=\"arn:aws:iam::291738886548:role/gcpsts\" --aws-region=us-east-1 \\\n  --aws-session-name=mysession --assumeRole=true --persistentHandle=0x81010004 \\\n  --aws-access-key-id=$AWS_ACCESS_KEY_ID  --duration=3600 --keyPass=$passphrase\n```\n\nIf you want to create a custom policy, you need to modify the code as described [here](https://github.com/salrashid123/aws_hmac/blob/main/example/tpm/README.md#pcr-policy)\n\n\n### SoftwareTPM\n\nIf you just want to test this with a software TPM:\n\n```bash\n## Initialize TPM-A\nrm -rf /tmp/myvtpm \u0026\u0026 mkdir /tmp/myvtpm\nsudo swtpm_setup --tpmstate /tmp/myvtpm --tpm2 --create-ek-cert\nsudo swtpm socket --tpmstate dir=/tmp/myvtpm --tpm2 --server type=tcp,port=2321 --ctrl type=tcp,port=2322 --flags not-need-init,startup-clear\n\nexport TPM2TOOLS_TCTI=\"swtpm:port=2321\"\ntpm2_pcrread sha256:0,23\n```\n\n#### Verify Release Binary\n\nIf you download a binary from the \"Releases\" page, you can verify the signature with GPG:\n\n```bash\ngpg --keyserver keys.openpgp.org --recv-keys 3FCD7ECFB7345F2A98F9F346285AEDB3D5B5EF74\n\nexport VERSION=0.0.7\n## to verify the checksum file for a given release:\nwget https://github.com/salrashid123/aws-tpm-process-credential/releases/download/v$VERSION/aws-tpm-process-credential_$VERSION_checksums.txt\nwget https://github.com/salrashid123/aws-tpm-process-credential/releases/download/v$VERSION/aws-tpm-process-credential_$VERSION_checksums.txt.sig\n\ngpg --verify aws-tpm-process-credential_$VERSION_checksums.txt.sig aws-tpm-process-credential_$VERSION_checksums.txt\n```\n\n#### Verify Release Binary with github Attestation\n\nYou can also verify the binary using [github attestation](https://github.blog/news-insights/product-news/introducing-artifact-attestations-now-in-public-beta/)\n\nFor example, the attestation for releases `[@refs/tags/v0.0.7]` can be found at\n\n* [https://github.com/salrashid123/aws-tpm-process-credential/attestations](https://github.com/salrashid123/aws-tpm-process-credential/attestations)\n\nThen to verify:\n\n```bash\n$ export VERSION=0.0.7\n$ wget https://github.com/salrashid123/aws-tpm-process-credential/releases/download/v$VERSION/aws-tpm-process-credential_$VERSION_linux_amd64\n$ wget https://github.com/salrashid123/aws-tpm-process-credential/attestations/4853131/download -O salrashid123-aws-tpm-process-credential-attestation-4853131.json\n\n$ gh attestation verify --owner salrashid123 --bundle salrashid123-aws-tpm-process-credential-attestation-4853131.json  aws-tpm-process-credential_$VERSION_linux_amd64\n```\n\n### Encrypted TPM Sessions\n\nIf you want to enable [TPM Encrypted sessions](https://github.com/salrashid123/tpm2/tree/master/tpm_encrypted_session), you should provide the \"name\" of a trusted key on the TPM for each call.\n\nA trusted key can be the EK Key. You can get the name using `tpm2_tools`:\n\n```bash\ntpm2_createek -c primary.ctx -G rsa -u ek.pub -Q\ntpm2_readpublic -c primary.ctx -o ek.pem -n name.bin -f pem -Q\nxxd -p -c 100 name.bin \n  000bb50d34f6377bb3c2f41a1b4b6094ed6efcd7032d28054566db0766879dad1ee0\n```\n\nThen use the hex value returned in the `--tpm-session-encrypt-with-name=` argument.\n\nFor example:\n\n```bash\n   --tpm-session-encrypt-with-name=000bb50d34f6377bb3c2f41a1b4b6094ed6efcd7032d28054566db0766879dad1ee0\n```\n\nYou can also derive the \"name\" from a public key of a known template:\n\nsee [go-tpm.tpm2_get_name](https://github.com/salrashid123/tpm2/tree/master/tpm2_get_name)\n\n#### References\n\n- [TPM Credential Source for Google Cloud SDK](https://github.com/salrashid123/gcp-adc-tpm)\n- [PKCS-11 Credential Source for Google Cloud SDK](https://github.com/salrashid123/gcp-adc-pkcs)\n- [AWS Authentication using TPM HMAC](https://github.com/salrashid123/aws_hmac/tree/main/example/tpm#usage-tpm)\n- [AWS Configuration and credential file settings](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html)\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsalrashid123%2Faws-tpm-process-credential","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsalrashid123%2Faws-tpm-process-credential","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsalrashid123%2Faws-tpm-process-credential/lists"}