- Newest
- Most votes
- Most comments
Hacor,
You should delete the credentials file that you created, that's not how Greengrass should be getting credentials. Instead, Greengrass provides credentials to components including Stream manager using the Token Exchange Service component. https://docs.aws.amazon.com/greengrass/v2/developerguide/device-service-role.html
Greengrass uses the IoT Credentials Provider service which retrieves credentials from an IoT Role Alias which you configured. This role alias must point to an IAM role which has the necessary permissions for Stream manager such as IoT Analytics.
Hello Michael!
Thanks for the answer. I know I should delete the credentials file, I just created it in order to test whether I was capable of getting Stream Manager to work or not.
I provisioned the Greengrass core device with the installer option provision=true
so it created the policies, role and the role alias automatically as a part of the installation.
I also updated the role to use the iotanalytics:BatchPutMessage
as mentioned in the description of the component here. Stream Manager should be able to access IoT Analytics.
I do want to put the attention to line #140 again of the gist mentioned above. Stream manager complains in the starting stage about being unable to assume roles. I really do think that's causing the problem.
The Token Exchange service seems up and running fine, my custom components are getting the AWS_CONTAINER_CREDENTIALS_FULL_URI
environment variable perfectly.
I hope we can find a solution, so I can delete the credentials file. Best regards,
Hacor
Did this ever get resolved? I am trying to use StreamManager 2.1.0
with a custom component and seeing similar behavior. I too had questions about whether I needed the .aws/credentials
file versus Token Exchange Service. Thanks
@ttnickb. Please remove any credentials you have on the device. Only Token Exchange Service credentials should be used for Stream Manager.
Hello All
Thanks for all the suggestions and advice. @ttnickb I assume all the AWS suggestions are probably right and it would have something todo with roles/permissions. On my end, I never got to solve my issue without a credentials file (only allowing Stream Manager to do things of course). And now the project moved in such a way I didn't need the Stream Manager anymore. So I kind of lost sight of this problem
So if you did find a solution, please post it here and it can certainly help others.
Thanks! Kind Regards
Hacor
Hi all,
After spending a bit more time on this, we did confirm that .aws/credentials
file is not required.
Our app is streaming to Kinesis via StreamManager
using only the device cert and Token Exchange Service.
The confusion was mainly due to StreamManager
performing batching, so it takes a few minutes for data to start showing up in AWS...even though the logs on the device show data being appended to the stream much earlier.
Relevant content
- asked 4 years ago
- Accepted Answerasked 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated 10 months ago
The logs are with or without the credential file?
Please remove the credential file.
Hi Hacor, As Michael mentioned, Stream Manager should get the credentials from Token Exchange Service. To understand why Stream Manager is getting 400 (
com.amazonaws.auth.EC2ContainerCredentialsProviderWrapper@6b0072bc: Bad Request (Service: null; Status Code: 400; Error Code: null; Request ID: null; Proxy: null)]
), we want to get access to the greengrass logs. Can you please share the contents of greengrass.log from the same timeframe as the stream manager logs you shared.Thanks
Hi Hacor -
I want to address your confusion here. STS is not used by the device. The device uses
iot:AssumeRoleWithCertificate
and thensts:AssumeRole
gets used on the backend cloud service. So, Michael's answer below is correct and you likely have an issue with the role which your role alias points to. If you attach those logs we can better assist. Thanks