Ao usar o AWS re:Post, você concorda com os AWS re:Post Termos de uso
AWS re:Postre:Post

greengrass v2 - secret manager - throws "not supported" exception

0

Hello AWS Team.

i am using Greengrass V2 and am struggeling to retrieve a secret from the secret manager.

i followed the manual installation: https://docs.aws.amazon.com/greengrass/v2/developerguide/manual-installation.html

and then used this example for the secret retrieval: https://github.com/aws-samples/greengrass-v2-secrets-manager-python

the code in question:
ipc_client = awsiot.greengrasscoreipc.connect()
get_secret_operation = ipc_client.new_get_secret_value()
get_secret_operation.activate(request=model.GetSecretValueRequest(secret_id=OPCUA_CERT_AWS_SECRETID))
secret_response = get_secret_operation.get_response().result()

this: "secret_response = get_secret_operation.get_response().result()" is throwing the exeption below:

2021-03-19T15:13:29.477Z [ERROR] (pool-2-thread-137) datashipper-DatashipperFunction-T4JRBU21QPQC: datashipper.py:59,Failed due to: ServiceError(message='Operation aws.greengrass#GetSecretValue is not supported by Greengrass'). {serviceInstance=0, serviceName=datashipper-DatashipperFunction-T4JRBU21QPQC, currentState=RUNNING}

could someone please explain why it says that the function is "not supported"?

Thank you
Chris

Tópicos
Sem servidorComputação
Tags
AWS Lambda
Idioma
English
Chris-R
feita há 3 anos360 visualizações
4 Respostas
0

Hi Chris,

A probable reason is that you have not deployed the secret manager component to your device https://docs.aws.amazon.com/greengrass/v2/developerguide/secret-manager-component.html . If you're seeing this issue despite including this component in your deployment, could you share more details on if you see it started up properly or if there are any errors in greengrass.log / aws.greengrass.SecretManager.log ?

Thanks,
Shagupta

AWS
shagupta-aws
respondido há 3 anos
0

Hey Shagupta,

the secret manager is included and "running" in version 2.0.5 according to the console.
It however does not produce a log in /logs/

however in the log of my function i see this:
Failed due to: UnauthorizedError(message='Principal datashipper-DatashipperFunction-T4JRBU21QPQC is not authorized to perform aws.greengrass.SecretManager:aws.greengrass#GetSecretValue on resource arn:aws:secretsmanager:eu-west-1:111934086604:secret:greengrass-dil-psn-sc-lev-opcua-client-cert-664OZO').

however i have granted that specifically:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "secretsmanager:GetSecretValue",
"Resource": "arn:aws:secretsmanager:eu-west-1:111934086604:secret:greengrass-dil-psn-sc-lev-opcua-client-cert-664OZO"
}
]
}

what am i missing?

-Chris

Chris-R
respondido há 3 anos
0

Hi Chris,

The IAM policy looks correct, however Greengrass IPC also requires authorization, you would need to configure the appropriate IPC authorization policy for your component.
Details on IPC authorization policy - https://docs.aws.amazon.com/greengrass/v2/developerguide/interprocess-communication.html#ipc-authorization-policies
Details on Secret Manager IPC operation to include in the authorization policy https://docs.aws.amazon.com/greengrass/v2/developerguide/ipc-secret-manager.html#ipc-secret-manager-authorization

If you've already done this, could you post the auth policy config and the content of your config.tlog/effectiveConfig.yaml file ?

Thanks,
Shagupta

AWS
shagupta-aws
respondido há 3 anos
0

Hey shagupta,

thanks that was the missing info. It works now.

-Chris

Chris-R
respondido há 3 anos

Você não está conectado. Fazer login para postar uma resposta.

Uma boa resposta responde claramente à pergunta, dá feedback construtivo e incentiva o crescimento profissional de quem perguntou.

Diretrizes para responder a perguntas

Conteúdo relevante