By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

AWS GreenGrass V2 Lambda - Token Exchange Service not loading credentials before the lambda is invoked

0

I am running a lambda on a greengrass core device and the lambda is invoked from an IOT Core message. The topic has a retained flag so the device gets the message if it is offline when published. When I restart the device and the lambda subscribes to the topic and the lambda is invoked immediately I get a CredentialsProviderError: Could not load credentials from any providers. If I then run publish the same message again after 5-10 seconds the lambda executed with no errors. Its as if the lambda is not loading the credentials before it is invoked. Is there a work around for this? I have the TokenExchangeService as a hard dependency for the lambda component:

 "aws.greengrass.TokenExchangeService": {
      "VersionRequirement": ">=2.0.0 <3.0.0",
      "DependencyType": "HARD"
  • Jan_B EXPERT
    2 years ago

    Does the error message appear in the greengrass.log or in your lambda function component logs? Do you use an AWS SDK in your lambda to access a cloud-side AWS API? If you use an SDK in your code, could you dump the environment variable AWS_CONTAINER_CREDENTIALS_FULL_URI in your lambda code during both executions.

Topics
Internet of Things (IoT)ServerlessCompute
Tags
AWS IoT GreengrassAWS IoT CoreAWS Lambda
Language
English
Phil Begg
asked 2 years ago274 views
1 Answer
1

Hello Phil,

This is the expected behavior; credentials are not fetched until they are requested from the token exchange service (TES) by some application. All lambdas, for example, depend on TES by default, but not all lambdas may actually want or need credentials, so they are only fetched from AWS when something actually requests them.

Your lambda should retry the failed API call which will cause the credentials to be requested again. It should succeed on retries as long as the device is connected to the internet and is allowed to get credentials. Verify in /greengrass/v2/logs/greengrass.log that there are no errors when requesting credentials. You will see "Received IAM credentials that will be cached until" in the log file when credentials are successfully retrieved by Greengrass and cached.

Cheers,

Michael

AWS
EXPERT
MichaelDombrowski-AWS
answered 2 years ago
AWS
EXPERT
MassimilianoAWS
reviewed 9 months ago
profile pictureAWS
EXPERT
Chris_G
reviewed 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content