AWS re:Postを使用することにより、以下に同意したことになります AWS re:Post 利用規約
AWS re:Postre:Post

Lambda component with IPC permissions in Greengrass V2

0

We have migrated a lambda from AWS Greengrass v1 to AWS Greengrass v2. This lambda needs to extract and decrypt a secret from Greengrass Core.

How can we authorize the component to perform IPC permissions to the lambda for that? Regular components recipes have the option ComponentConfiguration/DefaultConfiguration/accessControl. However when we build the component out of a lambda using AWS CLI create-component-version and option --lambda-function, there is no option to assign authorization policies.

One way we tried to make it work is by using a merge update in our deployment (as documented here).

    "accessControl": {
        "aws.greengrass.SecretManager": {
            "<my-component>:secrets:1": {
                "policyDescription": "Credentials for server running on edge.",
                "operations": [
                    "aws.greengrass#GetSecretValue"
                ],
                "resources": [
                    "arn:aws:secretsmanager:us-east-1:<account-id>:secret:xxxxxxxxxx"
                ]
            }
        }
    }

However the end recipe of the component (in the deployment) does not display the accessControl (AWS Greengrass Console), so we assume it has not been merge updated.

...
  "ComponentConfiguration": {
    "DefaultConfiguration": {
      "lambdaExecutionParameters": {
        "EnvironmentVariables": {
          "LOG_LEVEL": "DEBUG"
        }
      },
      "containerParams": {
        "memorySize": 16384,
        "mountROSysfs": false,
        "volumes": {},
        "devices": {}
      },
      "containerMode": "NoContainer",
      "timeoutInSeconds": 30,
      "maxInstancesCount": 10,
      "inputPayloadEncodingType": "json",
      "maxQueueSize": 200,
      "pinned": false,
      "maxIdleTimeInSeconds": 30,
      "statusTimeoutInSeconds": 30,
      "pubsubTopics": {
        "0": {
          "topic": "dt/app/+/status/update",
          "type": "PUB_SUB"
        }
      }
    }
  },

Any guidance here would be greatly appreciated! Thanks

トピック
モノのインターネット (IoT)サーバーレス計算する
タグ
AWS IoT GreengrassAWS Lambda
言語
English
profile picture
rodmaz
質問済み 1年前463ビュー
1回答
1
承認された回答

Merge updates are in a deployment, they do not update the recipe of the component.

The merge is the correct way to set the access control. You can view the actual configuration which is applied on the device by using the local greengrass CLI. https://docs.aws.amazon.com/greengrass/v2/developerguide/gg-cli-component.html#component-details

AWS
エキスパート
MichaelDombrowski-AWS
回答済み 1年前
profile pictureAWS
エキスパート
Greg_B
レビュー済み 6ヶ月前
profile picture
エキスパート
Sedat Salman
レビュー済み 10ヶ月前
  • rodmaz
    1年前

    We checked using Greengrass-cli in GG Core and the accessControl is there. Works like a charm! Thanks!

ログインしていません。 ログイン 回答を投稿する。

優れた回答とは、質問に明確に答え、建設的なフィードバックを提供し、質問者の専門分野におけるスキルの向上を促すものです。

質問に答えるためのガイドライン

関連するコンテンツ