- Mais recentes
- Mais votos
- Mais comentários
Some more info that may end up being helpful to people in the long term.
For ease of use, I switched to using fluentd+timestream plugin, rather then telegraf. Based on things I read elsewhere, I was hoping that so long as the same instance kept running, it would keep working after the initial successful connection.
This was not the case. When the credential expired, its ability to write terminated.
so i will have to stick to my original approach. It turns out that ChatGPT is really good at answering my actual question, so asking it, "write a lambda that creates a permenant credential" works very nicely.
Hi - Thanks for your question. As you are aware, the AWS IoT Core Credential Provider can issue a credential with a maximum lifetime is 43,200 seconds (12 hours). Having the credential be valid for up to 12 hours can help reduce the number of calls to the credential provider by caching the credential longer. Reference : https://docs.aws.amazon.com/iot/latest/developerguide/authorizing-direct-aws.html
In another solution, you could configure an AWS Lambda rule that ingests your device data and sends it to another AWS service. However, in applications (not sure if yours is fitting the needs) that require the uploading of large files such as videos or aggregated telemetry to the AWS Cloud, you may want your devices to be able to authenticate and send data directly to the AWS service of your choice.
Generically, Greengrass acts as a credential provider to the AWS SDK for components Greengrass manages. It exposes an environment variable to applications which the SDK uses to request temporary credentials. When those credentials expire, the SDK will request new credentials automatically. You can run long running applications without needing to deploy "long-term" credentials. See https://docs.aws.amazon.com/greengrass/v2/developerguide/interact-with-aws-services.html for details.
For your specific case, are you looking to use telegraf with timestream? https://github.com/influxdata/telegraf/tree/master/plugins/outputs/timestream#configuration says that it can pick up credentials from environment variables (it looks like internally it is uses the AWS SDK v2 for go).
On your device, is Greengrass managing the telegraf process? If Greengrass runs the application, it can provide the environment variable needed to receive credentials.
To add on Nitin's and Rob's answers, depending on how telegraf uses the AWS Go SDK, the AWS_CONTAINER_CREDENTIALS_FULL_URI
provided by the Token Exchange Service may automatically vend and refresh credentials from the Role Alias. I'd create a Greengrass component that wraps the Startup
and Shutdown
steps for telegraf, at which point the environment variable will be available to the process. I'm not familiar with how telegraf uses AWS credentials from the config file, but if you leave uncommented, this will quickly test if it works or not.
Interacting with AWS Services might be of help too.
This might be helpful for you
https://aws.amazon.com/blogs/iot/how-to-manage-iot-device-certificate-rotation-using-aws-iot/
Conteúdo relevante
- AWS OFICIALAtualizada há 3 anos
- AWS OFICIALAtualizada há um ano
- AWS OFICIALAtualizada há 6 meses
- AWS OFICIALAtualizada há 9 meses
You didnt read my question carefully. The article you referenced is about how to rotate expiring creds. But I said I want a cred that DOES NOT EXPIRE, aka "long term".