aws.iot.SiteWiseEdgeCollectorOpcua: Failed to start OPC-UA Connection for Source (OPC-UA): Failed to obtain Secret from Greengrass IPC

0

Hello,

I have deployed Greengrass as a Docker container from the official Docker Hub page: amazon/aws-iot-greengrass:2.5.3-0

I run it and deployed on it basics Greengrass components, it runs fine, and deployed also IoT SiteWise most recent components.

But the component SiteWiseEdgeCollectorOpcua is logging this error when it starts:

OpcUaManagedConnection - {"message":"Failed to start OPC-UA Connection for Source (OPC-UA): Failed to obtain Secret from Greengrass IPC"}

I am pretty sure the rest of the IoT SiteWise deployment is correct, since it's quite basic, and I already deployed the same things previously on a Linux deployed Greengrass and it worked fine. I tried to understand what this could be related. For sure it is not related with the permissions given to the IAM Role used by Greengrass, since it currently has all permissions to operate on my AWS account just for debugging this. To avoid networking issue i also run the container with the option --network host so that it can open all needed local ports and connections.

My only suspect right now is the fact that I see the docker version of Greengrass is not updated since 1 year! Is it supposed to work? Maybe it is not compatible with latest Greengrass components or SiteWise most recent ones? Does someone know the solution to this?

Let me know in case I need to provide more information. Thank you very much in advance for your support!

  • Maybe I need to add additional environment variables to the Greengrass container not specified on the DockerHub page? There is no much documentation about Docker deployments of Greengrass.

1 Answer
0

Hi Francesco,

The error indicates that the secrets are not available on the edge device. Most probably secret manager is not able to fetch the secrets. It seems like you are configuring data source authentication. Here is a step by step guide for that - https://docs.aws.amazon.com/iot-sitewise/latest/userguide/configure-source-authentication-ggv2.html#create-secrets-ggv2.

There could be multiple reasons for this failure: 1. The Greengrass core device doesn't have policy to get secret value from cloud. 2. Either the secrets manager is not configured at all or its configured with the incorrect Secrets ARN. 3. The data source was added with wrong secrets.

Please verify following on your end and see if they are configured as expected: 1. Does the IAM role for your greengrass core device allow the "secretsmanager:GetSecretValue" action? 2. Is the expected secret's ARN configured in the secret manager component's configuration at the time of the deployment? (https://docs.aws.amazon.com/iot-sitewise/latest/userguide/configure-source-authentication-ggv2.html#deploy-secrets-ggv2) 3. Has the data source deployed with the secrets that were configured in step #2?

You can also check the greengrass.log and aws.greengrass.SecretManager.log files (located in /greengrass/v2/logs) to see if there are any warning/errors reported with respect to secret manager such as retrieving secrets, assuming a role etc.

AWS
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions