ruby AWS sdk, auth, and greengrass issues.

Question

I'm trying to follow the docs about using greengrass component based auth, and run into a confusing situation.

Ive read that in a greengrass environment, as long as the automatic environment variables are set, auth is handled automatically.

(specifically, AWS_CONTAINER_AUTHORIZATION_TOKEN and AWS_CONTAINER_CREDENTIALS_FULL_URI)

This actually works great when I use a dummy test ruby program, to do things like

`  wrapper = Aws::IAM::Client.new
  wrapper.get_user`

But when I swap out my test program, for fluentd, using the timestream plugin at
https://github.com/StudistCorporation/fluent-plugin-timestream

it bombs out with an auth error,

> failed to flush the buffer. retry_times=0 next_retry_time=2023-04-12 17:54:12 +0000 chunk="5f9274b9cd65f79f9897b62d5fca25ed" error_class=Aws::Errors::EndpointDiscoveryError error="Endpoint discovery failed for the operation or discovered endpoint is not working, request will keep failing until endpoint discovery succeeds or :endpoint option is provided."

This is making no sense to me. How can the same(?) ruby aws lib work in one case, but fail in the other?

For what it's worth, this is using ubuntu 20.04

Accepted Answer

The error you get is not related to the credentials, but to the Timestream client not being able to determine the endpoint to connect to. Timestream uses a cellular architecture where the endpoint is not fixed. AWS SDKs implements the  [endpoint discovery pattern](https://docs.aws.amazon.com/timestream/latest/developerguide/Using-API.endpoint-discovery.how-it-works.html) and apparently this is failing inside your Greengrass component. You should verify that the permissions associated to the Greengrass TES Role allow the `timestream:DescribeEndpoints` action.

ruby AWS sdk, auth, and greengrass issues.

Relevant content