What's Changed
New Contributors
[1.3.43] — 2026-05-18
Added
- AWS IoT Core (Phase 1) — new service covering the control plane and a WebSocket-only MQTT data plane. Control plane:
CreateThing/DescribeThing/ListThings/UpdateThing/DeleteThing,CreateThingTypeand group,CreateThingGroup+AddThingToThingGroup/RemoveThingFromThingGroup, certificates via a new in-process Local CA (CreateKeysAndCertificate,RegisterCertificate,UpdateCertificate,DeleteCertificate,ListCertificates),AttachThingPrincipal/DetachThingPrincipal/ListThingPrincipals/ListPrincipalThings, policies with versioning (CreatePolicy,CreatePolicyVersion,GetPolicyVersion,ListPolicyVersions,SetDefaultPolicyVersion,DeletePolicyVersion), policy attachment (AttachPolicy,DetachPolicy,ListAttachedPolicies,ListTargetsForPolicy), andDescribeEndpointreturning a per-account hostname. Data plane: HTTPiot-data PublishatPOST /topics/{topic}with QoS 0/1 and?retain=true, plus MQTT 3.1.1 over WebSocket multiplexed on the gateway port (clients use themqttSec-WebSocket-Protocol value and connect to the address returned byDescribeEndpoint). Multi-tenancy enforced by transparent topic prefixing in the bridge layer — the account ID is resolved from the SigV4 credential at WebSocket upgrade and topics are prefixed before they hit the in-process pub/sub registry, so two accounts publishing to the same topic name never see each other's traffic. Persistent sessions (cleanSession=0), QoS 1 in-flight tracking + retransmit with DUP flag, Last Will and Testament on ungraceful disconnect, duplicate-client-id force-disconnect, and retained-message delivery on subscribe all implemented per MQTT 3.1.1. Local CA root certificate exposed atGET /_ministack/iot/ca.pemso test code can configure SDK trust; CA + broker state (retained messages, persistent sessions) persist across restarts whenPERSIST_STATE=1. Deferred to later phases: Device Shadows, mTLS on 8883,ListRetainedMessagesqueries, Rules Engine, Jobs, Fleet Provisioning. IoT policy documents are stored but not enforced on the data plane. Plain TCP 1883 is intentionally not exposed (real AWS IoT requires TLS or SigV4 on every connection). Requires thecryptographypackage (declared in the[full]optional dependency); slim image users hit a cleanRuntimeErroron first IoT call. Contributed by @jgrumboe. - Athena ↔ Glue catalog integration + S3 result persistence —
StartQueryExecutionnow resolvesdatabase.tablereferences against Glue'sGetTableto find the underlying S3 location, so queries against Glue-managed tables work without hand-writtenread_csv('s3://...')paths. Completed query results are written to the configuredOutputLocationas<id>.csvplus a<id>.csv.metadatacompanion (column names + Athena-mapped types) — the CSV file includes the column-name header row as the first line, matching real Athena's output format. Mixed queries combining Glue tables with explicits3://URIs in the same statement also resolve correctly. Contributed by @m7w.
Fixed
- EventBridge rule targets pointing at Step Functions state machines — targets with an ARN of the form
arn:aws:states:<region>:<account>:stateMachine:<name>previously fell through to the "unsupported target type" warning and silently dropped events. The dispatcher now calls into the existingstepfunctions._start_execution, which runs the execution on a daemon thread with acontextvars.copy_context()snapshot so the request's account context is preserved. The transformed payload (postInput/InputPath/InputTransformer) is passed verbatim as the execution input, soInput*features work for free.RoleArnon the target is accepted and ignored, matching how the existing Lambda/SQS/SNS dispatchers handle it. Contributed by @DaviReisVieira. - Step Functions
StartExecutionaccepts version and alias ARNs — real AWS lets callers (and EventBridge targets) reference a state machine by its base ARN, a published-version ARN (stateMachine:<name>:<version>), or an alias ARN routed viaCreateStateMachineAlias. Previously only the base ARN resolved — versions and aliases returnedStateMachineDoesNotExist. A new resolver walks the base / version / alias stores; alias dispatch picks the highest-weighted version in the routing configuration (ties → first listed) for deterministic test behaviour. EventBridge → Step Functions dispatch leans on the same resolver, so EB rules pinning a target to a specific version or alias now actually fire. - Athena DuckDB queries no longer stall the event loop —
StartQueryExecutionpreviously scheduled the DuckDB run viaasyncio.create_task, but DuckDB'sconn.execute()is a blocking C call so the asyncio loop sat idle for the full query duration, stalling every other in-flight request on the single-process server. Wrapped inasyncio.to_threadso multiple concurrent Athena queries run on worker threads and the loop stays free. - Step Functions
aws-sdk:lambdaintegration —arn:aws:states:::aws-sdk:lambda:getAliasandgetFunctionConfigurationnow dispatch through the Lambda REST emulator with JSONPath-resolvedFunctionName,Name, andQualifierparameters. Unblocks readiness workflows that verify a Lambda alias and its published version before invoking it. The dispatcher captures the caller's account ID from the request contextvar and embeds it in the synthetic Authorization header (instead of hardcodingtest), so SFN executions running under a non-default 12-digit account correctly resolve Lambdas in their own account scope. Contributed by @jayjanssen. - Lambda published-version readiness propagates from
$LATEST— published version snapshots created while$LATESTis stillPending/InProgressnow transition toActive/Successfulwith the function, soGetFunctionConfiguration --qualifier <version>converges instead of staying stuck after the alias points at the version. Contributed by @jayjanssen.