Updating component configuration in lifecycle install script and accessing in run script

Question

In my component recipe, I have a placeholder for the `POSTGRES_PASSWORD` configuration. I set the value in the `install` phase of the lifecycle from a secrets manager secret. I then try to read the updated configuration value in the `run` phase with `{configuration:/POSTGRES_PASSWORD}` extrapolation. 
I am able to update the configuration, with `update_configuration`, in the install script and also confirm that the configuration is updated by retrieving it with `get_configuration`. But when I try to access the value of the configuration in the `run` script, I get the default empty value.

Can anyone help figure this out? I am new to Greengrass and still trying to figure things out.

Here is a part of the recipe (with some debug messages) that I am using -

```
ComponentConfiguration:
  DefaultConfiguration:
    POSTGRES_PASSWORD: ""
    DBCredentialSecret: ""
Lifecycle:
    Install: 
      Script: | 
        #!/bin/bash
        python3 -m pip install --user awsiotsdk
        python3 -u {artifacts:decompressedPath}/comp/src/update_config.py "{configuration:/DBCredentialSecret}"        
        docker pull supabase/postgres
    Run: 
      Script: |
        echo 'Starting supabase...'
        echo '{configuration:/POSTGRES_PASSWORD}' 
        docker rm -f supabase-db 
        docker run -d --name supabase-db --restart unless-stopped -p '5432:5432' -e POSTGRES_PASSWORD='{configuration:/POSTGRES_PASSWORD}' -e POSTGRES_HOST='{configuration:/POSTGRES_HOST}' supabase/postgres postgres -c config_file=/etc/postgresql/postgresql.conf -c log_min_messages=fatal
```

Thanks!

Accepted Answer

If my understanding is correct, you are trying to update the POSTGRES_PASSWORD value through the update_config.py script using the IPC API `update_configuration`.
As Micheal says, this will not work since the configuration variables are interpolated at deployment time. The POSTGRES_PASSWORD value is then the default empty string, or whichever value you set in the deployment configuration. As you want to retrieve the value from a secret you should simply set the POSTGRES_PASSWORD environment variable value directly in the `Run` script.

You can also refer to this component (https://github.com/awslabs/aws-greengrass-labs-nodered-auth/) that uses https://github.com/awslabs/aws-greengrass-labs-secretsmanagerclient to obtain a secret from the `aws.greengrass.SecretsManager` component.

Answer

Hello,

Configuration in recipe lifecycle commands is only interpolated during a deployment, changes to configuration outside of a deployment will have no effect until the next deployment happens. In this case, set a static password in a deployment, or else you could execute a command which will read the configuration using IPC (instead of recipe interpolation, IPC will get the up to date value) in order to set the environment variable as you desire.

Cheers,

Michael

Answer

Thanks for your help with this Massimiliano and Michael! I was able to read the secret and set its value in the environment variable.

I would like to know what is the general guidance for where (in the lifecycle) to perform steps to configure the component.

Thank you!

Answer

Thank you for the responses pointing me in the right direction. I updated the recipe to use the aws.greengrass.labs.SecrectsManagerClient component. When I deploy, I get a COMPONENT_VERSION_REQUIREMENTS_NOT_MET error. Do I need to publish the aws.greengrass.labs.SecrectsManagerClient component before I can use it in my recipe? Or, is it available in a catalog?

Thanks for your help!

Answer

Seems like I do need to build and publish the component - https://github.com/awslabs/aws-greengrass-labs-secretsmanagerclient/issues/1

Updating component configuration in lifecycle install script and accessing in run script

관련 콘텐츠