Greengrass v2 StreamManager | Unable to load AWS credentials
I'm using StreamManager v2.1.2 to export a stream of data to Kinesis. I'm repeatedly seeing this error message:
This is the code that produces the logs:
sequence_number = self.stream_manager_client.append_message(self.modbus_data_stream_name, data)
self.logger.debug(f"Sequence number {sequence_number}")
message_stream_info = self.stream_manager_client.describe_message_stream(self.modbus_data_stream_name)
self.logger.debug(message_stream_info.storage_status)
self.logger.debug(message_stream_info.export_statuses)
if message_stream_info.export_statuses[0].error_message:
self.logger.error(message_stream_info.export_statuses[0].error_message)
It appears that this error shows up for a period of time when the component starts but goes away after several minutes of running. Thus I treat it as a false negative. But could someone confirm that?
But in my understanding, StreamManager should get its credential from the TokenExchangeRole associated with the greengrass device rather than from the environment variable of the device (which is what the log is indicating). Could someone help me understand why we're seeing this error message?
Edits
My fleet provisioning config
My Kinesis Policy attached to the GG role
- Newest
- Most votes
- Most comments
The log show that the StreamManager component, while trying to write data to Kinesis, fails temporarily to obtain valid credentials. An AWS SDK client tries all provider in a credential provider chain with a given priority, and the Token Exchange Server is tried last as indicated by: com.amazonaws.auth.EC2ContainerCredentialsProviderWrapper@... : Failed to connect to service endpoint:. TES exposes the credential via a Container Credential Provider endpoint.
This might be due to connectivity issues, for example TES not being able to connect to the AWS IoT Core credentials provider. If this issue disappears after a short time and is not impacting your solution, you can ignore it. If it persists I would check the logs in greengrass.log to see if there are any errors related to obtaining the credentials.
It seems from error message that AWS credentials provider chain is looking for credentials in the order printed. AWS IoT Greengrass core devices use the AWS IoT Core credentials provider to authorize calls to AWS services. The AWS IoT Core credentials provider enables devices to use their X.509 certificates as the unique device identity to authenticate AWS requests. This eliminates the need to store an AWS access key ID and secret access key on your AWS IoT Greengrass core devices. When you run the AWS IoT Greengrass Core software, you can choose to provision the AWS resources that the core device requires. This includes the AWS Identity and Access Management (IAM) role that your core device assumes through the AWS IoT Core credentials provider.
Reference : https://docs.aws.amazon.com/greengrass/v2/developerguide/device-service-role.html
Thanks for the explanation. I understand that the Greengrass Core uses X.509 certificate to authenticate it requests. I used fleet provisioning method and provided a Role that has permission to write to Kinesis. I'm adding screenshots of my provisioning config file and the Kinesis related policy to the original post.
Relevant content
- asked 2 years ago
- asked 7 months ago
- asked a year ago
AWS OFFICIALUpdated 24 days ago- AWS OFFICIALUpdated 5 months ago
- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated a month ago
I think this is likely the case, thanks for the explanation!