- Newest
- Most votes
- Most comments
Hi Tuan,
Can you provide us Greengrass logs and also secret manager configuration from /greengrass/v2/config/config.tlog?
Thank you, Urvashi Jain
Hi Urvashi,
Re.
You can directly use AWS SDK to retrieve the secrets dynamically.
It would be definitely our first preference but would it require some credentials to talk to AWS Secrets Manager in the first place? If it were an application running on AWS infrastructure like EC2, Lambda, it would be a straigthforward task. However, we are talking about an application running on a remote infrastructure (Iot device), how can we obtain the initial credentials to initiate an aws connection to begin with?
In particular, let's say our application is written in Python and we are using python SDK boto3, shouldn't we need to initiate a client like
query_client = boto3.client('aws-service', aws_access_key_id=access_key, aws_secret_access_key=secret_key)
How do we obtain aws_access_key_id=access_key, aws_secret_access_key=secret_key
in the first place?
(Storing these keys locally in the device is security risk which is not an option)
Thanks, Tuan
Hi Urvashi, thanks for the prompt response. Please see the below
aws.greengrass.SecretManager's effective configuration in effectiveConfig.yaml
aws.greengrass.SecretManager:
componentType: "PLUGIN"
configuration:
cloudSecrets:
- arn: "arn:aws:secretsmanager:ap-southeast-2:myawsaccountid:secret:mysecret2"
- arn: "arn:aws:secretsmanager:ap-southeast-2:myawsaccountid:secret:mysecret"
dependencies:
- "aws.greengrass.Nucleus:SOFT"
lifecycle: {}
runtime:
secretResponse: "{\"secrets\":[{\"arn\":\"arn:aws:secretsmanager:ap-southeast-2:myawsaccountid:secret:mysecret2\"\
,\"name\":\"mysecret\",\"versionId\":\"11c44d97-146f-4120-8b25-a44db88c9c86\"\
,\"encryptedSecretString\":\"AgV4HUMJetLrI9690IaFABnC7AmrjAGGw/GEm/3s4Ab/AAA+HVtaXW6bc4mfH29YIwn0QbQSST0cEbUCdZVoDWIE98UPaEDb8Fm3CTPX+1J99Al5OSJjvTeW3AVBaIyC7YOFcHfHleXeonEYXPJ4eOcx25mOTTm2YeNNb4SS1gNOZk04pOeIyjvs6af/Zpabg9ch4fZjtvfLCVDVrG6uE3djTJ3IWCLW5owNEUQ9kVtlIjJm2Egx96PAJPefI91kOpjOyEMh/8bu157zAz5/j6T6kPrweYSnoCAAAQAMzmU2/05tpcQXYtyWY0m4RemAE1ADemNEnhXAffHur1LMh7DD0QO/AAj7TFzlQ4Xv////8AAAABAAAAAAAAAAAAAAABAAAAGnWY/KUY/BSsgR8zmOiHnKqh3eM7mk3g2SxkAgEaiZkvUMri8Qd9Op/F8QBnMGUCMQDruocOpPbhXbTY96KyFMG0XGciEsAfX54nCkGlCg9Eq1mTsnRQJsN/5quTQQUmudYCMGjoKjWiBI3onARZeFhVu6taP8wrZsf1Re4MiO/WC8u38O4dWcqQp1kS4OSwG6H/og==\"\
,\"versionStages\":[\"AWSCURRENT\"],\"createdDate\":1695197952788},{\"arn\"\
:\"arn:aws:secretsmanager:ap-southeast-2:myawsaccountid:secret:mysecret\"\
,\"name\":\"mysecret\",\"versionId\":\"1d6220bb-700f-4536-aa7d-db9efb3cd891\"\
,\"encryptedSecretString\":\"AgV496cpl320jXvn9+6RN3S+AAA/cd4iFjeAG6UYgZAzpFWz+ANPH4SKED+fcNuuGdcXLPey9Qb6Lvzj/WyQZ/aq2JreTL1piH6Zz1qu+vMuCoTfBM+oLGCfVE762TPlYJOG9KbL1f5mzdWUes1+D5cPXSTDnlJ90xNnCt1jEevS/t1drQQhgrkqRbWyTocOYSDGSAAac8VRNb1Dn+QFVBdy09bE+SOf80oiyld0anFRDJvJxCukFFhNMzT8ZWM9oiW3UeCPIAzNHvrsrRFQ/WB8BEP/fkAkYCwuLRP9mBEzqKhkSeoY4RIhKwBeLsLYf1msydZR0ysFyxNg7ywXGYdNuIb1t5gEAgAAEABr2+j9nALVj4sT0zA+dqKXtYmiqA7Tpx+uWP5M+Jr380iTcfn6jWyGePIh9juZIxb/////AAAAAQAAAAAAAAAAAAAAAQAAAINJBRX3R67zXCzKoyewGHebejkfpUNaOYvmJKUPLPIamWubbkP4VdoTMyqayiNX1DIPFetW+zifmcrPkpygwmHbgw3z7rC5jRkax7UMpZ5zpP5Gu9kKPD2t9G4YGHBCS/yaze4ypTJnAWje7UYoaZDnUBzdTzKnQCmi0jKWCdcLBJIHxvx+6oR6U7JktXehRGySRyAAZzBlAjEAjZ6kvmG62wjKVz9C4BdEUcu8EnLqBPqf6+eI3RdoF91IJWj0ZE7cJWTjE1A1siQCAjATGD0t2N9LFC2IRVD+rbT0X9AbB12C1AplyHRj9bE4kl5m30c0NorDVl9pAqCR4WQ=\"\
,\"versionStages\":[\"AWSCURRENT\"],\"createdDate\":1711354647995}]}"
version: "2.1.6"
I can see that the createdDate for arn:aws:secretsmanager:ap-southeast-2:myawsaccountid:secret:mysecret
is 1711354647995 which is Mon Mar 25 2024 19:17:27 GMT+1100 (Australian Eastern Daylight Time) (like a week ago) and definitely not the AWSCURRENT
As for log inconfig.tlog
:
{"TS":1711943821983,"TP":["services","DeploymentService","GroupToRootComponents","thing/my-thing","aws.greengrass.SecretManager","version"],"W":"changed","V":"2.1.6"}
{"TS":1711943821983,"TP":["services","DeploymentService","GroupToRootComponents","thing/my-thing","aws.greengrass.SecretManager","groupConfigArn"],"W":"changed","V":"arn:aws:greengrass:ap-southeast-2:myawsaccountid:configuration:thing/my-thing:43"}
{"TS":1711943821983,"TP":["services","DeploymentService","GroupToRootComponents","thing/my-thing","aws.greengrass.SecretManager","groupConfigName"],"W":"changed","V":"thing/my-thing"}
{"TS":1711943822028,"TP":["services","DeploymentService","ComponentToGroups","aws.greengrass.SecretManager","arn:aws:greengrass:ap-southeast-2:myawsaccountid:configuration:thing/my-thing:43"],"W":"changed","V":"thing/my-thing"}
{"TS":1694757140689,"TP":["services","main","runtime","service-digest","aws.greengrass.SecretManager-v2.1.6"],"W":"changed","V":"AuKl9bgyfyxiTHCdYc7H5vhitLWCu6Xweiio8xVu3tU="}
{"TS":1711943769161,"TP":["services","main","dependencies"],"W":"changed","V":["aws.greengrass.Cli","aws.greengrass.TokenExchangeService","FleetStatusService:HARD","DeploymentService:HARD","aws.greengrass.DockerApplicationManager:HARD","com.myorg.iot.greengrass.SampleComponent","aws.greengrass.LogManager","aws.greengrass.DockerApplicationManager","com.myorg.myservice","aws.greengrass.SecureTunneling","aws.greengrass.SecretManager","com.myorg.iot.greengrass.SampleDockerComponent","aws.greengrass.TokenExchangeService:HARD","TelemetryAgent:HARD","aws.greengrass.Nucleus","aws.greengrass.telemetry.NucleusEmitter","UpdateSystemPolicyService:HARD","aws.greengrass.Nucleus"]}
{"TS":1711943744136,"TP":["services","com.myorg.iot.greengrass.SampleComponent","configuration","accessControl","aws.greengrass.SecretManager","com.myorg.iot.greengrass.SampleComponent:secrets:1","operations"],"W":"changed","V":["aws.greengrass#GetSecretValue"]}
{"TS":1711943744136,"TP":["services","com.myorg.iot.greengrass.SampleComponent","configuration","accessControl","aws.greengrass.SecretManager","com.myorg.iot.greengrass.SampleComponent:secrets:1","policyDescription"],"W":"changed","V":"Allows access to a secret."}
{"TS":1711943744136,"TP":["services","com.myorg.iot.greengrass.SampleComponent","configuration","accessControl","aws.greengrass.SecretManager","com.myorg.iot.greengrass.SampleComponent:secrets:1","resources"],"W":"changed","V":["*"]}
{"TS":1711943744136,"TP":["services","com.myorg.iot.greengrass.SampleComponent","configuration","accessControl","aws.greengrass.SecretManager","com.myorg.iot.greengrass.SampleComponent:secrets:1:","operations"],"W":"changed","V":["aws.greengrass#GetSecretValue"]}
{"TS":1711943744136,"TP":["services","com.myorg.iot.greengrass.SampleComponent","configuration","accessControl","aws.greengrass.SecretManager","com.myorg.iot.greengrass.SampleComponent:secrets:1:","policyDescription"],"W":"changed","V":"Allows access to dev secrets."}
{"TS":1711943744136,"TP":["services","com.myorg.iot.greengrass.SampleComponent","configuration","accessControl","aws.greengrass.SecretManager","com.myorg.iot.greengrass.SampleComponent:secrets:1:","resources"],"W":"changed","V":["arn:aws:secretsmanager:ap-southeast-2:myawsaccountid:secret:mysecret","arn:aws:secretsmanager:ap-southeast-2:myawsaccountid:secret:mysecret2"]}
{"TS":1711943769161,"TP":["services","com.myorg.iot.greengrass.SampleComponent","dependencies"],"W":"changed","V":["aws.greengrass.SecretManager:HARD"]}
{"TS":1711943769161,"TP":["services","aws.greengrass.SecretManager","componentType"],"W":"changed","V":"PLUGIN"}
{"TS":1711943769161,"TP":["services","aws.greengrass.SecretManager","version"],"W":"changed","V":"2.1.6"}
{"TS":1711943744136,"TP":["services","aws.greengrass.SecretManager","configuration","cloudSecrets"],"W":"changed","V":[{"arn":"arn:aws:secretsmanager:ap-southeast-2:myawsaccountid:secret:mysecret"},{"arn":"arn:aws:secretsmanager:ap-southeast-2:myawsaccountid:secret:mysecret2"}]}
{"TS":1711943809273,"TP":["services","aws.greengrass.SecretManager","runtime","secretResponse"],"W":"changed","V":"{\"secrets\":[{\"arn\":\"arn:aws:secretsmanager:ap-southeast-2:myawsaccountid:secret:mysecret\",\"name\":\"mysecret\",\"versionId\":\"11c44d97-146f-4120-8b25-a44db88c9c86\",\"encryptedSecretString\":\"AgV4oUu1pdanQ0BYj6wzOpd1r5PMsILtl5jpRtcGPWVgu6MAwgACAAdDb250ZXh0AFhhcm46YXdzOnNlY3JldHNtYW5hZ2VyOmFwLXNvdXRoZWFzdC0yOjE0Mjk4MjgzNzY4NjpzZWNyZXQ6ZGV2L2hhbC1lZGdlL3Rlc3RTZWNyZXQtWHNGOUU5ABVhd3MtY3J5cHRvLXB1YmxpYy1rZXkAREF2dmttTFFUNGg1V05hQWJsVStDQWsrbTc0RzY0NHVVKy9pSkdITlJYMUQ2dkdEc0FUWTN2QWx4ZzRGTDlOYWdudz09AAEACmdnOnNlY3JldHMAKGI1ZWQyODVlZmFiM2EwZDA0Y2Q3NTQ4ZDg4MGY0Y2JhMDVlOTNhODkBALcIgJe9RTgtG5yrWQAnQQGEBJu5+rznjkqoEV+aD4Lcw8D+XL4BeGeCKrAdoIGCUjS+r+CU8ydcgBy1Z/BZBM6nyzyE8AYmOBezThN0LdK00VJd0fxCOKyWqQOMPDI95GilfE/5xsDnHmYzokWM2YGyVUmfjCzKDmUwrDpUszigS1gZxQ0Jrn+3fXVpy/K8HK44BOQRMo8rIXQxB5qOkbQyuiQ8s0Q8fIaQfOjgYzIut6/3dflVXLoKSreNZINFqdonT00OzpiMDIVxpkC7Dw8mJ1/SuBgVmJ+ptk/pW0+QHV/psqYnOTY6VyKD1dWgbf/l8S4VmzI99QIGbiHmLL0CAAAQAB9GprIqkXk+PtsmcDkoEZubU1VYaTT1wzgWIrl3Cscbh4WdvMgTS3ieqThDVPlc0v////8AAAABAAAAAAAAAAAAAAABAAAAGm4rbdQ75/x+SpmdLRUD5/CnCG1GA76HnpAuTPW6hHZndVmG/M3TBgYpLwBnMGUCMQDYRpoJUZhxO7WLP3qLzwLmuqIfTHlYO3wLMByxaKh3L2xvBqMDtjNYJIata2r/Q4YCMGexLlp/GMFb7nPs6bOayM9FhNLLUGjiHK05UFweVv3hxL5scxCaCgDMfQSXpQwNMg==\",\"versionStages\":[\"AWSCURRENT\"],\"createdDate\":1695197952788},{\"arn\":\"arn:aws:secretsmanager:ap-southeast-2:myawsaccountid:secret:mysecret2\",\"name\":\"mysecret2\",\"versionId\":\"6e683100-6b63-48ca-af24-6d1a4e808725\",\"encryptedSecretString\":\"AgV4iJWpBnw/1CfaLDAT2zsW7BmmmEbz0ZLcTJYm2PnlBSAAzAACAAdDb250ZXh0AGJhcm46YXdzOnNlY3JldHNtYW5hZ2VyOmFwLXNvdXRoZWFzdC0yOjE0Mjk4MjgzNzY4NjpzZWNyZXQ6ZGV2L3RpbWVzdHJlYW0vZGV2VXNlckNyZWRlbnRpYWxzLWZkaXhLYwAVYXdzLWNyeXB0by1wdWJsaWMta2V5AERBZ0NrRWFEcENaNHF4dHUzcnpzUjV5UGFpSEI5enFHSWVzRUhGY3BxZnJUbCtHZXpWenQrSkhrTWRiSHVMQWhIVFE9PQABAApnZzpzZWNyZXRzAChiNWVkMjg1ZWZhYjNhMGQwNGNkNzU0OGQ4ODBmNGNiYTA1ZTkzYTg5AQA6Qv1uGA+ffRUiVCaCsCkR5RY8YuV3wgrCpjLOCPzcVcHHri/XrHveC7An8cyozsyzzfp0g8/aV6xHIioNw9Lp9crIf7qtY//pugI+4JwoXHwv96brD2TWB2J6t4ePg5E1p5JTTWGsmXUkZpTnumsro3vFjXX3Q9lJkS/NfaAPl4izvoF45LZI6zpTUzd9CcDJ7Oanog+esUu7Cxa2pTWz3KxsSY1cy424Cn3KTwTKuoqRar+zGOHwTVBK+1GxMaV8GCL+Y3h3Sy1NKcvDAdLX4GrX1MeFXI2cOQ36c9JRFiD3u3YC3hjaCJZm3ONNoCVrfVuSO4KYhdfI8hYBS/knAgAAEACgsb116RIy5+PIG4ENX0RVt99ErMqA3wxpzq6LfaAiBgVIUGP811qb3Ywnl/l6ndH/////AAAAAQAAAAAAAAAAAAAAAQAAAIPEpXSPK2Nh+Xa1dQn0Q+AjX5NqdB7lNewEpt+wt1xpRYGxm4UoNRO2CNjiXW01Or/qLvYgfNtfEHljMZtnX3j1qkuIkawyFh7f6hzxZxRhzVdzdy+cxZjBm6Y5n/i1E5awfmqlDX4S8Nys+76uHrtSyVQDD76d3y24mGBprExGYVqceHMBU8egjvXWxNyrCM7uKM4AZzBlAjB0zsCdSW5gbf7zCAORb35J3xOlkNiMXMyaZcsTB18YY1ix4nL6OhW0hCp9FoqLKoECMQDH6gyQNcnxXkp04ZDhuvReWVN/faoWToauhw4nX/vqBgyKNOg7qz/cTUToSaeOOnI=\",\"versionStages\":[\"AWSCURRENT\"],\"createdDate\":1711930580103}]}"}
{"TS":1711943769161,"TP":["services","aws.greengrass.SecretManager","dependencies"],"W":"changed","V":["aws.greengrass.Nucleus:SOFT"]}
{"TS":1711943744136,"TP":["services","com.myorg.iot.greengrass.SampleDockerComponent","configuration","accessControl","aws.greengrass.SecretManager","com.myorg.iot.greengrass.SampleDockerComponent:secrets:1","operations"],"W":"changed","V":["aws.greengrass#GetSecretValue"]}
{"TS":1711943744136,"TP":["services","com.myorg.iot.greengrass.SampleDockerComponent","configuration","accessControl","aws.greengrass.SecretManager","com.myorg.iot.greengrass.SampleDockerComponent:secrets:1","policyDescription"],"W":"changed","V":"Allows access to a secret."}
{"TS":1711943744136,"TP":["services","com.myorg.iot.greengrass.SampleDockerComponent","configuration","accessControl","aws.greengrass.SecretManager","com.myorg.iot.greengrass.SampleDockerComponent:secrets:1","resources"],"W":"changed","V":["*"]}
{"TS":1711943744136,"TP":["services","com.myorg.iot.greengrass.SampleDockerComponent","configuration","accessControl","aws.greengrass.SecretManager","com.myorg.iot.greengrass.SampleDockerComponent:secrets:1:","operations"],"W":"changed","V":["aws.greengrass#GetSecretValue"]}
{"TS":1711943744136,"TP":["services","com.myorg.iot.greengrass.SampleDockerComponent","configuration","accessControl","aws.greengrass.SecretManager","com.myorg.iot.greengrass.SampleDockerComponent:secrets:1:","policyDescription"],"W":"changed","V":"Allows access to dev secrets."}
{"TS":1711943744136,"TP":["services","com.myorg.iot.greengrass.SampleDockerComponent","configuration","accessControl","aws.greengrass.SecretManager","com.myorg.iot.greengrass.SampleDockerComponent:secrets:1:","resources"],"W":"changed","V":["arn:aws:secretsmanager:ap-southeast-2:myawsaccountid:secret:mysecret","arn:aws:secretsmanager:ap-southeast-2:myawsaccountid:secret:mysecret2"]}
{"TS":1711943769161,"TP":["services","com.myorg.iot.greengrass.SampleDockerComponent","dependencies"],"W":"changed","V":["aws.greengrass.DockerApplicationManager:HARD","aws.greengrass.TokenExchangeService:HARD","aws.greengrass.SecretManager:HARD"]}
{"TS":1694757145139,"TP":["services","aws.greengrass.SecretManager","lifecycle"],"W":"interiorAdded","V":null}
{"TS":1712125759753,"TP":["services","DeploymentService","runtime","ProcessedDeployments","1712125759751","DeploymentRootPackages"],"W":"changed","V":["aws.greengrass.Cli","aws.greengrass.TokenExchangeService","aws.greengrass.SecureTunneling","aws.greengrass.SecretManager","com.myorg.iot.greengrass.SampleDockerComponent","com.myorg.iot.greengrass.SampleComponent","aws.greengrass.LogManager","aws.greengrass.DockerApplicationManager"]}
{"TS":1712125759753,"TP":["services","DeploymentService","runtime","ProcessedDeployments","1712125759751","DeploymentRootPackages"],"W":"changed","V":["aws.greengrass.Cli","aws.greengrass.TokenExchangeService","aws.greengrass.SecureTunneling","aws.greengrass.SecretManager","com.myorg.iot.greengrass.SampleDockerComponent","com.myorg.iot.greengrass.SampleComponent","aws.greengrass.LogManager","aws.greengrass.DockerApplicationManager"]}
{"TS":1712125764847,"TP":["services","aws.greengrass.SecretManager","componentType"],"W":"timestampUpdated","V":null}
{"TS":1712125755781,"TP":["services","aws.greengrass.SecretManager","configuration","cloudSecrets"],"W":"timestampUpdated","V":null}
{"TS":1712125764847,"TP":["services","aws.greengrass.SecretManager","version"],"W":"timestampUpdated","V":null}
{"TS":1712125764847,"TP":["services","aws.greengrass.SecretManager","dependencies"],"W":"timestampUpdated","V":null}
{"TS":1712125755781,"TP":["services","com.myorg.iot.greengrass.SampleDockerComponent","configuration","accessControl","aws.greengrass.SecretManager","com.myorg.iot.greengrass.SampleDockerComponent:secrets:1","operations"],"W":"timestampUpdated","V":null}
{"TS":1712125755781,"TP":["services","com.myorg.iot.greengrass.SampleDockerComponent","configuration","accessControl","aws.greengrass.SecretManager","com.myorg.iot.greengrass.SampleDockerComponent:secrets:1","policyDescription"],"W":"timestampUpdated","V":null}
{"TS":1712125755781,"TP":["services","com.myorg.iot.greengrass.SampleDockerComponent","configuration","accessControl","aws.greengrass.SecretManager","com.myorg.iot.greengrass.SampleDockerComponent:secrets:1","resources"],"W":"timestampUpdated","V":null}
{"TS":1712125755781,"TP":["services","com.myorg.iot.greengrass.SampleDockerComponent","configuration","accessControl","aws.greengrass.SecretManager","com.myorg.iot.greengrass.SampleDockerComponent:secrets:1:","operations"],"W":"timestampUpdated","V":null}
{"TS":1712125755781,"TP":["services","com.myorg.iot.greengrass.SampleDockerComponent","configuration","accessControl","aws.greengrass.SecretManager","com.myorg.iot.greengrass.SampleDockerComponent:secrets:1:","policyDescription"],"W":"timestampUpdated","V":null}
{"TS":1712125755781,"TP":["services","com.myorg.iot.greengrass.SampleDockerComponent","configuration","accessControl","aws.greengrass.SecretManager","com.myorg.iot.greengrass.SampleDockerComponent:secrets:1:","resources"],"W":"timestampUpdated","V":null}
{"TS":1712125755781,"TP":["services","com.myorg.iot.greengrass.SampleComponent","configuration","accessControl","aws.greengrass.SecretManager","com.myorg.iot.greengrass.SampleCo
and this is relevant log in greengrass.log
:
2024-04-03T06:49:52.363Z [INFO] (Thread-6) software.amazon.awssdk.eventstreamrpc.RpcServer: New connection code [AWS_ERROR_SUCCESS] for [Id 3545, Class ServerConnection, Refs 1](2024-04-03T06:49:52.362959Z) - <null>. {}
2024-04-03T06:49:52.364Z [INFO] (Thread-6) software.amazon.awssdk.eventstreamrpc.ServiceOperationMappingContinuationHandler: aws.greengrass#GreengrassCoreIPC authenticated identity: com.myorg.iot.greengrass.SampleComponent. {}
2024-04-03T06:49:52.364Z [INFO] (Thread-6) software.amazon.awssdk.eventstreamrpc.ServiceOperationMappingContinuationHandler: Connection accepted for com.myorg.iot.greengrass.SampleComponent. {}
2024-04-03T06:49:52.364Z [INFO] (Thread-6) software.amazon.awssdk.eventstreamrpc.ServiceOperationMappingContinuationHandler: Sending connect response for com.myorg.iot.greengrass.SampleComponent. {}
2024-04-03T06:49:52.367Z [INFO] (Thread-6) com.aws.greengrass.secretmanager.SecretManagerService: secret-access. requested secret. {secret=arn:aws:secretsmanager:ap-southeast-2:myawsaccountid:secret:mysecret-XsF9E9, serviceName=aws.greengrass.SecretManager, currentState=RUNNING, Principal=com.myorg.iot.greengrass.SampleComponent}
2024-04-03T06:49:52.371Z [INFO] (Thread-6) software.amazon.awssdk.eventstreamrpc.RpcServer: New connection code [AWS_ERROR_SUCCESS] for [Id 3547, Class ServerConnection, Refs 1](2024-04-03T06:49:52.371025Z) - <null>. {}
2024-04-03T06:49:52.371Z [INFO] (Thread-6) software.amazon.awssdk.eventstreamrpc.ServiceOperationMappingContinuationHandler: aws.greengrass#GreengrassCoreIPC authenticated identity: com.myorg.iot.greengrass.SampleComponent. {}
2024-04-03T06:49:52.371Z [INFO] (Thread-6) software.amazon.awssdk.eventstreamrpc.ServiceOperationMappingContinuationHandler: Connection accepted for com.myorg.iot.greengrass.SampleComponent. {}
2024-04-03T06:49:52.371Z [INFO] (Thread-6) software.amazon.awssdk.eventstreamrpc.ServiceOperationMappingContinuationHandler: Sending connect response for com.myorg.iot.greengrass.SampleComponent. {}
2024-04-03T06:49:52.374Z [INFO] (Thread-6) com.aws.greengrass.secretmanager.SecretManagerService: secret-access. requested secret. {secret=arn:aws:secretsmanager:ap-southeast-2:myawsaccountid:secret:mysecret2-fdixKc, serviceName=aws.greengrass.SecretManager, currentState=RUNNING, Principal=com.myorg.iot.greengrass.SampleComponent}
2024-04-03T06:54:52.994Z [INFO] (Thread-6) software.amazon.awssdk.eventstreamrpc.RpcServer: New connection code [AWS_ERROR_SUCCESS] for [Id 3549, Class ServerConnection, Refs 1](2024-04-03T06:54:52.994060Z) - <null>. {}
2024-04-03T06:54:52.994Z [INFO] (Thread-6) software.amazon.awssdk.eventstreamrpc.ServiceOperationMappingContinuationHandler: aws.greengrass#GreengrassCoreIPC authenticated identity: com.myorg.iot.greengrass.SampleDockerComponent. {}
2024-04-03T06:54:52.994Z [INFO] (Thread-6) software.amazon.awssdk.eventstreamrpc.ServiceOperationMappingContinuationHandler: Connection accepted for com.myorg.iot.greengrass.SampleDockerComponent. {}
2024-04-03T06:54:52.995Z [INFO] (Thread-6) software.amazon.awssdk.eventstreamrpc.ServiceOperationMappingContinuationHandler: Sending connect response for com.myorg.iot.greengrass.SampleDockerComponent. {}
2024-04-03T06:54:52.998Z [INFO] (Thread-6) com.aws.greengrass.secretmanager.SecretManagerService: secret-access. requested secret. {secret=arn:aws:secretsmanager:ap-southeast-2:myawsaccountid:secret:mysecret-XsF9E9, serviceName=aws.greengrass.SecretManager, currentState=RUNNING, Principal=com.myorg.iot.greengrass.SampleDockerComponent}
2024-04-03T06:54:53.002Z [INFO] (Thread-6) software.amazon.awssdk.eventstreamrpc.RpcServer: New connection code [AWS_ERROR_SUCCESS] for [Id 3551, Class ServerConnection, Refs 1](2024-04-03T06:54:53.002233Z) - <null>. {}
2024-04-03T06:54:53.002Z [INFO] (Thread-6) software.amazon.awssdk.eventstreamrpc.ServiceOperationMappingContinuationHandler: aws.greengrass#GreengrassCoreIPC authenticated identity: com.myorg.iot.greengrass.SampleDockerComponent. {}
2024-04-03T06:54:53.002Z [INFO] (Thread-6) software.amazon.awssdk.eventstreamrpc.ServiceOperationMappingContinuationHandler: Connection accepted for com.myorg.iot.greengrass.SampleDockerComponent. {}
2024-04-03T06:54:53.002Z [INFO] (Thread-6) software.amazon.awssdk.eventstreamrpc.ServiceOperationMappingContinuationHandler: Sending connect response for com.myorg.iot.greengrass.SampleDockerComponent. {}
2024-04-03T06:54:53.003Z [INFO] (Thread-6) com.aws.greengrass.secretmanager.SecretManagerService: secret-access. requested secret. {secret=arn:aws:secretsmanager:ap-southeast-2:myawsaccountid:secret:mysecret2-fdixKc, serviceName=aws.greengrass.SecretManager, currentState=RUNNING, Principal=com.myorg.iot.greengrass.SampleDockerComponent}
2024-04-03T06:54:53.093Z [INFO] (Thread-6) software.amazon.awssdk.eventstreamrpc.RpcServer: New connection code [AWS_ERROR_SUCCESS] for [Id 3553, Class ServerConnection, Refs 1](2024-04-03T06:54:53.092958Z) - <null>. {}
2024-04-03T06:54:53.093Z [INFO] (Thread-6) software.amazon.awssdk.eventstreamrpc.ServiceOperationMappingContinuationHandler: aws.greengrass#GreengrassCoreIPC authenticated identity: com.myorg.iot.greengrass.SampleComponent. {}
2024-04-03T06:54:53.093Z [INFO] (Thread-6) software.amazon.awssdk.eventstreamrpc.ServiceOperationMappingContinuationHandler: Connection accepted for com.myorg.iot.greengrass.SampleComponent. {}
2024-04-03T06:54:53.094Z [INFO] (Thread-6) software.amazon.awssdk.eventstreamrpc.ServiceOperationMappingContinuationHandler: Sending connect response for com.myorg.iot.greengrass.SampleComponent. {}
2024-04-03T06:54:53.096Z [INFO] (Thread-6) com.aws.greengrass.secretmanager.SecretManagerService: secret-access. requested secret. {secret=arn:aws:secretsmanager:ap-southeast-2:myawsaccountid:secret:mysecret-XsF9E9, serviceName=aws.greengrass.SecretManager, currentState=RUNNING, Principal=com.myorg.iot.greengrass.SampleComponent}
2024-04-03T06:54:53.099Z [INFO] (Thread-6) software.amazon.awssdk.eventstreamrpc.RpcServer: New connection code [AWS_ERROR_SUCCESS] for [Id 3555, Class ServerConnection, Refs 1](2024-04-03T06:54:53.099692Z) - <null>. {}
2024-04-03T06:54:53.100Z [INFO] (Thread-6) software.amazon.awssdk.eventstreamrpc.ServiceOperationMappingContinuationHandler: aws.greengrass#GreengrassCoreIPC authenticated identity: com.myorg.iot.greengrass.SampleComponent. {}
2024-04-03T06:54:53.100Z [INFO] (Thread-6) software.amazon.awssdk.eventstreamrpc.ServiceOperationMappingContinuationHandler: Connection accepted for com.myorg.iot.greengrass.SampleComponent. {}
2024-04-03T06:54:53.100Z [INFO] (Thread-6) software.amazon.awssdk.eventstreamrpc.ServiceOperationMappingContinuationHandler: Sending connect response for com.myorg.iot.greengrass.SampleComponent. {}
2024-04-03T06:54:53.103Z [INFO] (Thread-6) com.aws.greengrass.secretmanager.SecretManagerService: secret-access. requested secret. {secret=arn:aws:secretsmanager:ap-southeast-2:myawsaccountid:secret:mysecret2-fdixKc, serviceName=aws.greengrass.SecretManager, currentState=RUNNING, Principal=com.myorg.iot.greengrass.SampleComponent}
There's no apparent error that I can spot, the IPC connection seems established ok.
Thanks for looking into it,
Thanks.
Hi Tuan,
There is no way to forcefully delete the cache. You have to update the labels to resync the secrets. Please refer public docs: https://docs.aws.amazon.com/greengrass/v2/developerguide/secret-manager-component.html#secret-manager-component-configuration
The secret manager component caches secrets locally. If the secret value changes in Secrets Manager, this component doesn't automatically retrieve the new value. To update the local copy, give the secret a new label and configure this component to retrieve the secret identified by the new label.
Thanks for the feedback Urvashi,
It sounds like a major limitation with the GG Secret Manager component. It's reasonable to anticipate that the secret stored in AWS Secrets Manager may change, after all, secret rotation is an out of the box feature in AWS Secrets Manager. Requiring a new deployment to refresh the cache is a significant operational overhead.
Can you suggest an alternative for Greengrass device to dynamically retrieve secrets from AWS Secrets Manager?
Best, Tuan
Hi Tuan,
Yes we are aware of this restriction. You can directly use AWS SDK to retrieve the secrets dynamically.
Thank you, Urvashi Jain
Relevant content
- Accepted Answerasked 2 years ago
- asked 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 5 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
Hello Tuan, Please see the Token Exchange Service (TES) which will allow your custom component to obtain AWS credentials and allow you to interact with the SDK.
From your logs, TES is already running. You can utilize TES, see https://docs.aws.amazon.com/greengrass/v2/developerguide/token-exchange-service-component.html
https://docs.aws.amazon.com/greengrass/v2/developerguide/interact-with-aws-services.html
Thanks, Joseph
Hi Joshep,
Thanks for the answer. Using Token Exchange Service is indeed a promising direction. I have a follow up question in case you have experienced it before: the guide there provides an example where the component is a python application running directly on the device's host OS, what if my custom component is running a dockerised application? Looks like it's all depending on this environment variable
AWS_CONTAINER_CREDENTIALS_FULL_URI
, would injecting this env variable to the Docker container work? (I.e the python code running inside the docker container is able to talk to the TES service outside and perform the AWS SDK requests?)Thanks, Tuan
See the documentation here for using Docker properly: https://docs.aws.amazon.com/greengrass/v2/developerguide/run-docker-container.html#docker-container-token-exchange-service