Hi, I've been having some issues utilizing IoT Greengrass along with Secrets Manager. I followed along this guide here but when I try to access a secret that's stored in the cloud secrets manager, I get an error that the secret does not exist.
This is what my component recipe looks like:
{
"RecipeFormatVersion": "2020-01-25",
"ComponentName": "com.example.PrintSecret",
"ComponentVersion": "1.0.9",
"ComponentType": "aws.greengrass.generic",
"ComponentDescription": "Testing",
"ComponentPublisher": "Me",
"ComponentConfiguration": {
"DefaultConfiguration": {
"SecretArn": "arn:aws:secretsmanager:us-east-2:123456789:secret:dev/test/greengrass",
"accessControl": {
"aws.greengrass.SecretManager": {
"com.example.PrintSecret:secrets:1": {
"policyDescription": "Allows Access to a secret",
"operations": [
"aws.greengrass#GetSecretValue"
],
"resources": [
"*"
],
"cloudSecrets": [
{
"arn": "arn:aws:secretsmanager:us-east-2:123456789:secret:dev/test/greengrass-123456"
}
]
}
}
}
}
},
"ComponentDependencies": {
"aws.greengrass.SecretManager": {
"VersionRequirement": ">=2.0.0 <3.0.0",
"DependencyType": "HARD"
}
},
"Manifests": [
{
"Platform": {
"os": "linux"
},
"Lifecycle": {
"install": "python3 -m pip install --user awsiotsdk",
"run": "python3 -u {artifacts:path}/print_secret.py \"{configuration:/SecretArn}\""
},
"Artifacts": [
{
"Uri": "s3://embedded-greengrass-scripts/print_secret.py",
"Digest": "[REDACTED]",
"Algorithm": "[REDACTED]",
"Unarchive": "NONE",
"Permission": {
"Read": "ALL",
"Execute": "ALL"
}
}
]
}
],
"Lifecycle": {}
}
Is there something else that I am missing here?
Any help is greatly appreciated.
AWS OFFICIALUpdated a year ago
Thanks Michael, that helped a lot. I've added that config into the merge config for the secrets manager but I'm getting this error back from my python script: com.example.PrintSecret: stderr. awsiot.greengrasscoreipc.model.ResourceNotFoundError. Is there something else I'm still missing? My python script is identical to the one in the AWS doc I linked in the original question. Thank you!
Hi Christian, this error might mean that your secret has not synced yet and it can be mitigated by adding a retry in your script. In the greengrass log, please check to see if the secret is successfully downloaded so we can ensure that you have the required IAM permissions to download the secret. Thanks, Robert
Hi Robert, thanks for the reply. I think I found part of my issue, It looks like its failing to pull the secret, trying to figure out why that would be: com.aws.greengrass.secretmanager.exception.SecretManagerException: Could not download secret arn:aws:secretsmanager:us-east-2:123456789:secret:dev/test/greengrass-123456with label AWSCURRENT from cloud , you can attempt a re-fetch by redeploying secret manager. UPDATE: Looks like I may have found it, looks like an IAM issue, I thought I had configured this right, but going to do more digging around this: because no identity-based policy allows the secretsmanager:GetSecretValue action.
Hi Christian, the error that you are getting does suggest that you do not have all of the required IAM permissions. Can you please check to see if your Greengrass device role allows the secretsmanager:GetSecretValue action as seen in the following link: https://docs.aws.amazon.com/greengrass/v2/developerguide/secret-manager-component.html#secret-manager-component-configuration:~:text=The%20Greengrass%20device%20role%20must%20allow%20the%20secretsmanager%3AGetSecretValue%20action%2C%20as%20shown%20in%20the%20following%20example%20IAM%20policy.
Yep, that was it, thank you! I'm getting closer, now I'm getting an error from the python script that it is unauthorized to get the secret from the local secret manager, but I have the accessControl set in the merge config for the print secret component just as it is in the AWS doc (except I have resources still set to * for now). Trying to figure out why its not authorized...