Greengrass v2 single deployment # pass separate values to IoT Things

Question

Hey Team,

We have one custom component, in which we are calling third party API. This API is licensed per device. We are using Greengrass v2 for deployment. In Greengrass v2, we have used AWS public components aws.greengrass.SecretManager which is fetching credential from secrets manager, where we have stored this third party APIs keys.

Now as per our need, we are going to create single deployment for thing group which has multiple things associated. As single deployment for thing group would help us with single shot deployment on all the devices. But with this single deployment I am not sure, how we would be able to send separate API keys to this custom components, which are deployed on each IoT things.

Is there any provision to address this requirement in Greengrass v2 ??

Regards,
Nalay Patel

Answer

You can have multiple deployments targeting the same device. In your case, you could have a deployment targeting the whole fleet for all the common components and common configurations.

For components, like Secrets Manager, that require a different configuration per device, you can create a separate deployment that only contains SecretsManager, targeting every single device. Each deployment can then contain a different configuration for the secret arn parameter.

Another option is to set the device specific configuration inside the thing shadow, but I would not recommend passing confidential information to the device though the shadow, as it will be accessible in clear. You could write your own component that access SecretsManager directly using the Token Exchange Service credentials in Greengrass, and thus only pass the arn of the secret.  In this case, do not forget to set the appropriate policies on the Greengrass Role, so that a Greengrass device is not able to access the secret of another device.

Greengrass v2 single deployment # pass separate values to IoT Things

Relevant content