By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Greengrass StreamManager dependency problem

0

Hello!

I created a Greengrass core device through the online tutorials. On step 5b I followed the recommended option, so I think it uses sts:AssumeRole for authentication. Everything is working fine and I tried to install and use the AWS StreamManager Component. I updated my deployment and Stream Manager was successfully installed on my core device. But when I created a stream and appended data to that stream, I got errors in /greengrass/v2/logs/aws.greengrass.StreamManager.log about Stream Manager not being able to connect to IoT Analytics.

The full debug logs of Stream Manager can be found in this gist

I found following issues in this logs:

  • Line #140: 2022-03-04T08:30:35.708Z [INFO] (Copier) aws.greengrass.StreamManager: stdout. 2022 Mar 04 08:30:35,707 [DEBUG] (pool-7-thread-1) com.amazonaws.auth.AWSCredentialsProviderChain: Unable to load credentials from WebIdentityTokenCredentialsProvider: To use assume role profiles the aws-java-sdk-sts module must be on the class path.. {scriptName=services.aws.greengrass.StreamManager.lifecycle.startup.script, serviceName=aws.greengrass.StreamManager, currentState=STARTING}
  • Line #167: 2022-03-04T08:30:36.085Z [INFO] (Copier) aws.greengrass.StreamManager: stdout. 2022 Mar 04 08:30:36,074 [ERROR] (pool-7-thread-1) com.amazonaws.iot.greengrass.streammanager.export.destination.IOTAnalyticsDestination: Encountered error while exporting data to AWS IoT Analytics. {scriptName=services.aws.greengrass.StreamManager.lifecycle.startup.script, serviceName=aws.greengrass.StreamManager, currentState=STARTING}

When I created the file /home/ggc_user/.aws/credentials using basic credentials

[default]
aws_access_key_id = ******
aws_secret_access_key = *******

Stream manager works perfectly. As I read in the logs, the Stream Manager package should have the aws-java-sdk-sts module as a dependency in order to work with this method. Because the Stream manager component is not open source, I'm unable to create a PR. So I hope this message will reach the Stream Manager developers.

Here are the component versions used in my deployment:

Component Name: aws.greengrass.StreamManager
    Version: 2.0.14
    State: RUNNING
    Configuration: {"JVM_ARGS":"","LOG_LEVEL":"DEBUG","port":"8088","runWithDefault":{"posixUser":"ggc_user:ggc_group"},"STREAM_MANAGER_AUTHENTICATE_CLIENT":false,"STREAM_MANAGER_ENABLE_LOCK_ON_METADATA_STORE":"false","STREAM_MANAGER_EXPORTER_MAX_BANDWIDTH":"2147483647","STREAM_MANAGER_EXPORTER_S3_DESTINATION_MULTIPART_UPLOAD_MIN_PART_SIZE_BYTES":"5242880","STREAM_MANAGER_EXPORTER_THREAD_POOL_SIZE":"5","STREAM_MANAGER_SERVER_PORT":"8088","STREAM_MANAGER_STORE_ROOT_DIR":"."}
Component Name: aws.greengrass.TokenExchangeService
    Version: 2.0.3
    State: RUNNING
    Configuration: {"port":0.0}
Component Name: aws.greengrass.Nucleus
    Version: 2.5.3
    State: FINISHED
    Configuration: {"awsRegion":"eu-central-1","componentStoreMaxSizeBytes":"10000000000","deploymentPollingFrequencySeconds":"15","envStage":"prod","fleetStatus":{"periodicStatusPublishIntervalSeconds":86400.0},"greengrassDataPlanePort":"8443","httpClient":{},"iotCredEndpoint":"c18zy2f9lrcrq0.credentials.iot.eu-central-1.amazonaws.com","iotDataEndpoint":"a3sh1t0ug8wcry-ats.iot.eu-central-1.amazonaws.com","iotRoleAlias":"GreengrassV2TokenExchangeRoleAlias","jvmOptions":"-Dlog.store=FILE","logging":{},"mqtt":{"spooler":{}},"networkProxy":{"proxy":{}},"platformOverride":{},"runWithDefault":{"posixShell":"sh","posixUser":"ggc_user:ggc_group"},"telemetry":{}}

Best regards,

Hacor

Topics
Internet of Things (IoT)
Tags
AWS IoT Greengrass
Language
English
Hacor
asked 2 years ago606 views
5 Answers
1

Hacor,

You should delete the credentials file that you created, that's not how Greengrass should be getting credentials. Instead, Greengrass provides credentials to components including Stream manager using the Token Exchange Service component. https://docs.aws.amazon.com/greengrass/v2/developerguide/device-service-role.html

Greengrass uses the IoT Credentials Provider service which retrieves credentials from an IoT Role Alias which you configured. This role alias must point to an IAM role which has the necessary permissions for Stream manager such as IoT Analytics.

AWS
EXPERT
MichaelDombrowski-AWS
answered 2 years ago
0

Hello Michael!

Thanks for the answer. I know I should delete the credentials file, I just created it in order to test whether I was capable of getting Stream Manager to work or not. I provisioned the Greengrass core device with the installer option provision=true so it created the policies, role and the role alias automatically as a part of the installation. I also updated the role to use the iotanalytics:BatchPutMessage as mentioned in the description of the component here. Stream Manager should be able to access IoT Analytics. I do want to put the attention to line #140 again of the gist mentioned above. Stream manager complains in the starting stage about being unable to assume roles. I really do think that's causing the problem. The Token Exchange service seems up and running fine, my custom components are getting the AWS_CONTAINER_CREDENTIALS_FULL_URI environment variable perfectly.

I hope we can find a solution, so I can delete the credentials file. Best regards,

Hacor

Hacor
answered 2 years ago
  • MichaelDombrowski-AWS EXPERT
    2 years ago

    The logs are with or without the credential file?

    Please remove the credential file.

  • sushantAtAWS
    2 years ago

    Hi Hacor, As Michael mentioned, Stream Manager should get the credentials from Token Exchange Service. To understand why Stream Manager is getting 400 (com.amazonaws.auth.EC2ContainerCredentialsProviderWrapper@6b0072bc: Bad Request (Service: null; Status Code: 400; Error Code: null; Request ID: null; Proxy: null)]), we want to get access to the greengrass logs. Can you please share the contents of greengrass.log from the same timeframe as the stream manager logs you shared.

    Thanks

  • JoeAtAWS
    2 years ago

    Hi Hacor -

    I want to address your confusion here. STS is not used by the device. The device uses iot:AssumeRoleWithCertificate and then sts:AssumeRole gets used on the backend cloud service. So, Michael's answer below is correct and you likely have an issue with the role which your role alias points to. If you attach those logs we can better assist. Thanks

0

Did this ever get resolved? I am trying to use StreamManager 2.1.0 with a custom component and seeing similar behavior. I too had questions about whether I needed the .aws/credentials file versus Token Exchange Service. Thanks

ttnickb
answered 2 years ago
  • MichaelDombrowski-AWS EXPERT
    2 years ago

    @ttnickb. Please remove any credentials you have on the device. Only Token Exchange Service credentials should be used for Stream Manager.

0

Hello All

Thanks for all the suggestions and advice. @ttnickb I assume all the AWS suggestions are probably right and it would have something todo with roles/permissions. On my end, I never got to solve my issue without a credentials file (only allowing Stream Manager to do things of course). And now the project moved in such a way I didn't need the Stream Manager anymore. So I kind of lost sight of this problem

So if you did find a solution, please post it here and it can certainly help others.

Thanks! Kind Regards

Hacor

Hacor
answered 2 years ago
0

Hi all,

After spending a bit more time on this, we did confirm that .aws/credentials file is not required.

Our app is streaming to Kinesis via StreamManager using only the device cert and Token Exchange Service.

The confusion was mainly due to StreamManager performing batching, so it takes a few minutes for data to start showing up in AWS...even though the logs on the device show data being appended to the stream much earlier.

ttnickb
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content