Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

AWS GreenGrass V2 Lambda - Token Exchange Service not loading credentials before the lambda is invoked

0

I am running a lambda on a greengrass core device and the lambda is invoked from an IOT Core message. The topic has a retained flag so the device gets the message if it is offline when published. When I restart the device and the lambda subscribes to the topic and the lambda is invoked immediately I get a CredentialsProviderError: Could not load credentials from any providers. If I then run publish the same message again after 5-10 seconds the lambda executed with no errors. Its as if the lambda is not loading the credentials before it is invoked. Is there a work around for this? I have the TokenExchangeService as a hard dependency for the lambda component:

 "aws.greengrass.TokenExchangeService": {
      "VersionRequirement": ">=2.0.0 <3.0.0",
      "DependencyType": "HARD"
  • Jan_B EXPERTE
    vor 2 Jahren

    Does the error message appear in the greengrass.log or in your lambda function component logs? Do you use an AWS SDK in your lambda to access a cloud-side AWS API? If you use an SDK in your code, could you dump the environment variable AWS_CONTAINER_CREDENTIALS_FULL_URI in your lambda code during both executions.

Themen
Internet der Dinge (IoT)ServerlosKalkulation
Tags
AWS IoT GreengrassAWS IoT CoreAWS Lambda
Sprache
English
Phil Begg
gefragt vor 2 Jahren282 Aufrufe
1 Antwort
1

Hello Phil,

This is the expected behavior; credentials are not fetched until they are requested from the token exchange service (TES) by some application. All lambdas, for example, depend on TES by default, but not all lambdas may actually want or need credentials, so they are only fetched from AWS when something actually requests them.

Your lambda should retry the failed API call which will cause the credentials to be requested again. It should succeed on retries as long as the device is connected to the internet and is allowed to get credentials. Verify in /greengrass/v2/logs/greengrass.log that there are no errors when requesting credentials. You will see "Received IAM credentials that will be cached until" in the log file when credentials are successfully retrieved by Greengrass and cached.

Cheers,

Michael

AWS
EXPERTE
MichaelDombrowski-AWS
beantwortet vor 2 Jahren
AWS
EXPERTE
MassimilianoAWS
überprüft vor 9 Monaten
profile pictureAWS
EXPERTE
Chris_G
überprüft vor 2 Jahren

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt