How to grant access to specific AWS secrets that belong to specific Greengrass Core Device

Question

I have a set of Greengrass Core Devices and for each of them there's one secret stored in AWS Secrets Manager. During the lifecycle of various custom components installed on the certian core device, components need to fetch secrets meant for the particular device. The easiest way to explain this is by using an example.

Let's say there are several core devices named as follows:
- `alpha`
- `beta`
- `gamma`

And there are several secrets called as follows:
- `credentials/alpha`
- `credentials/beta`
- `credentials/gamma`

Now, I'm using IAM policy (that's attached to `GreengrassTokenExchangeRole`) that grants access to all of these `credentials` secrets:
```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "secretsmanager:GetSecretValue",
            "Resource": "arn:aws:secretsmanager:us-east-1:1234567890:secret:credentials/*"
        }
    ]
}
```
so that each core device can access whatever secret that ARN starts with `arn:aws:secretsmanager:us-east-1:1234567890:secret:credentials/`. This works, but it's not ideal as it allows core device to fetch secrets that are not meant for it - for example `alpha` device could access `credentials/beta`.

The desired state would be that core device can access only its own secret - `alpha -> credentials/alpha`, `beta -> credentials/beta` etc. I suspect it could be done by defining different roles and policies for each core device, but it doesn't scale well, because instead of one role and policy I'd need to have a pair per core device. Ideally I'd like something like:
```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "secretsmanager:GetSecretValue",
            "Resource": "arn:aws:secretsmanager:us-east-1:1234567890:secret:credentials/$AWS_IOT_CORE_DEVICE"
        }
    ]
}
```
so the policy would be sort of dynamic and would allow to access only the secrets that belong to core device.

Any ideas if that's doable?

Greg · Accepted Answer

Hi. The token exchange role uses the AWS IoT Core credential provider. Please try the `credentials-iot:ThingName` policy variable in your IAM policy.

https://docs.aws.amazon.com/iot/latest/developerguide/authorizing-direct-aws.html#authorizing-direct-aws.walkthrough

PatrickZ-AWS · Answer

When you add an authorization policy on your component in your component recipe you could make use of recipe variables to specify the thing name. The policy looks something like the example in this docs and would be a part of each component that will access these secrets: https://docs.aws.amazon.com/greengrass/v2/developerguide/ipc-secret-manager.html.

As this accessControl policy is part of the component configuration, you can use the {iot:thingName} variable to specify the resource specific to your device. Greengrass will only do this recipe variable interpolation in the configuration if the `interpolateComponentConfiguration` Nucleus config is set to true and on Nucleus 2.6.0 or later. You can find info on the variables here as well as the configuration you will need here: https://docs.aws.amazon.com/greengrass/v2/developerguide/component-recipe-reference.html#recipe-variables.

How to grant access to specific AWS secrets that belong to specific Greengrass Core Device

Add your answer

Relevant content