Al usar AWS re:Post, aceptas las AWS re:Post Términos de uso
AWS re:Postre:Post

Lambda component with IPC permissions in Greengrass V2

0

We have migrated a lambda from AWS Greengrass v1 to AWS Greengrass v2. This lambda needs to extract and decrypt a secret from Greengrass Core.

How can we authorize the component to perform IPC permissions to the lambda for that? Regular components recipes have the option ComponentConfiguration/DefaultConfiguration/accessControl. However when we build the component out of a lambda using AWS CLI create-component-version and option --lambda-function, there is no option to assign authorization policies.

One way we tried to make it work is by using a merge update in our deployment (as documented here).

    "accessControl": {
        "aws.greengrass.SecretManager": {
            "<my-component>:secrets:1": {
                "policyDescription": "Credentials for server running on edge.",
                "operations": [
                    "aws.greengrass#GetSecretValue"
                ],
                "resources": [
                    "arn:aws:secretsmanager:us-east-1:<account-id>:secret:xxxxxxxxxx"
                ]
            }
        }
    }

However the end recipe of the component (in the deployment) does not display the accessControl (AWS Greengrass Console), so we assume it has not been merge updated.

...
  "ComponentConfiguration": {
    "DefaultConfiguration": {
      "lambdaExecutionParameters": {
        "EnvironmentVariables": {
          "LOG_LEVEL": "DEBUG"
        }
      },
      "containerParams": {
        "memorySize": 16384,
        "mountROSysfs": false,
        "volumes": {},
        "devices": {}
      },
      "containerMode": "NoContainer",
      "timeoutInSeconds": 30,
      "maxInstancesCount": 10,
      "inputPayloadEncodingType": "json",
      "maxQueueSize": 200,
      "pinned": false,
      "maxIdleTimeInSeconds": 30,
      "statusTimeoutInSeconds": 30,
      "pubsubTopics": {
        "0": {
          "topic": "dt/app/+/status/update",
          "type": "PUB_SUB"
        }
      }
    }
  },

Any guidance here would be greatly appreciated! Thanks

Temas
Internet de las cosas (IoT)Sin servidorCálculo
Etiquetas
AWS IoT GreengrassAWS Lambda
Idioma
English
profile picture
rodmaz
preguntada hace un año464 visualizaciones
1 Respuesta
1
Respuesta aceptada

Merge updates are in a deployment, they do not update the recipe of the component.

The merge is the correct way to set the access control. You can view the actual configuration which is applied on the device by using the local greengrass CLI. https://docs.aws.amazon.com/greengrass/v2/developerguide/gg-cli-component.html#component-details

AWS
EXPERTO
MichaelDombrowski-AWS
respondido hace un año
profile pictureAWS
EXPERTO
Greg_B
revisado hace 6 meses
profile picture
EXPERTO
Sedat Salman
revisado hace 10 meses
  • rodmaz
    hace un año

    We checked using Greengrass-cli in GG Core and the accessControl is there. Works like a charm! Thanks!

No has iniciado sesión. Iniciar sesión para publicar una respuesta.

Una buena respuesta responde claramente a la pregunta, proporciona comentarios constructivos y fomenta el crecimiento profesional en la persona que hace la pregunta.

Pautas para responder preguntas

Contenido relevante