- Newest
- Most votes
- Most comments
Hello Phil,
This is the expected behavior; credentials are not fetched until they are requested from the token exchange service (TES) by some application. All lambdas, for example, depend on TES by default, but not all lambdas may actually want or need credentials, so they are only fetched from AWS when something actually requests them.
Your lambda should retry the failed API call which will cause the credentials to be requested again. It should succeed on retries as long as the device is connected to the internet and is allowed to get credentials. Verify in /greengrass/v2/logs/greengrass.log that there are no errors when requesting credentials. You will see "Received IAM credentials that will be cached until" in the log file when credentials are successfully retrieved by Greengrass and cached.
Cheers,
Michael
Relevant content
- asked 4 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 6 months ago
- AWS OFFICIALUpdated 2 years ago
Does the error message appear in the greengrass.log or in your lambda function component logs? Do you use an AWS SDK in your lambda to access a cloud-side AWS API? If you use an SDK in your code, could you dump the environment variable
AWS_CONTAINER_CREDENTIALS_FULL_URI
in your lambda code during both executions.