By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Updating component configuration in lifecycle install script and accessing in run script

0

In my component recipe, I have a placeholder for the POSTGRES_PASSWORD configuration. I set the value in the install phase of the lifecycle from a secrets manager secret. I then try to read the updated configuration value in the run phase with {configuration:/POSTGRES_PASSWORD} extrapolation. I am able to update the configuration, with update_configuration, in the install script and also confirm that the configuration is updated by retrieving it with get_configuration. But when I try to access the value of the configuration in the run script, I get the default empty value.

Can anyone help figure this out? I am new to Greengrass and still trying to figure things out.

Here is a part of the recipe (with some debug messages) that I am using -

ComponentConfiguration:
  DefaultConfiguration:
    POSTGRES_PASSWORD: ""
    DBCredentialSecret: "<secret_arn>"
Lifecycle:
    Install: 
      Script: | 
        #!/bin/bash
        python3 -m pip install --user awsiotsdk
        python3 -u {artifacts:decompressedPath}/comp/src/update_config.py "{configuration:/DBCredentialSecret}"        
        docker pull supabase/postgres
    Run: 
      Script: |
        echo 'Starting supabase...'
        echo '{configuration:/POSTGRES_PASSWORD}' 
        docker rm -f supabase-db 
        docker run -d --name supabase-db --restart unless-stopped -p '5432:5432' -e POSTGRES_PASSWORD='{configuration:/POSTGRES_PASSWORD}' -e POSTGRES_HOST='{configuration:/POSTGRES_HOST}' supabase/postgres postgres -c config_file=/etc/postgresql/postgresql.conf -c log_min_messages=fatal

Thanks!

Topics
Internet of Things (IoT)
Tags
AWS IoT Greengrass
Language
English
ss
asked 9 months ago206 views
5 Answers
3

Hello,

Configuration in recipe lifecycle commands is only interpolated during a deployment, changes to configuration outside of a deployment will have no effect until the next deployment happens. In this case, set a static password in a deployment, or else you could execute a command which will read the configuration using IPC (instead of recipe interpolation, IPC will get the up to date value) in order to set the environment variable as you desire.

Cheers,

Michael

AWS
EXPERT
MichaelDombrowski-AWS
answered 9 months ago
2
Accepted Answer

If my understanding is correct, you are trying to update the POSTGRES_PASSWORD value through the update_config.py script using the IPC API update_configuration. As Micheal says, this will not work since the configuration variables are interpolated at deployment time. The POSTGRES_PASSWORD value is then the default empty string, or whichever value you set in the deployment configuration. As you want to retrieve the value from a secret you should simply set the POSTGRES_PASSWORD environment variable value directly in the Run script.

You can also refer to this component (https://github.com/awslabs/aws-greengrass-labs-nodered-auth/) that uses https://github.com/awslabs/aws-greengrass-labs-secretsmanagerclient to obtain a secret from the aws.greengrass.SecretsManager component.

AWS
EXPERT
MassimilianoAWS
answered 9 months ago
0

Thanks for your help with this Massimiliano and Michael! I was able to read the secret and set its value in the environment variable.

I would like to know what is the general guidance for where (in the lifecycle) to perform steps to configure the component.

Thank you!

ss
answered 9 months ago
  • MassimilianoAWS EXPERT
    9 months ago

    There is no general guidance as it depends on the type of configuration and how that changes over time. For example, if you only set the configuration directly in the recipe or via the deployment, you can use variable interpolation in the recipe to get the new value. The drawback of this approach is that it forces the restart of the process. If you are not using interpolation, changes to the configuration can be notified to the running component process via the IPC using the SubscribeToConfigurationUpdate method and callback.

0

Thank you for the responses pointing me in the right direction. I updated the recipe to use the aws.greengrass.labs.SecrectsManagerClient component. When I deploy, I get a COMPONENT_VERSION_REQUIREMENTS_NOT_MET error. Do I need to publish the aws.greengrass.labs.SecrectsManagerClient component before I can use it in my recipe? Or, is it available in a catalog?

Thanks for your help!

ss
answered 9 months ago
0

Seems like I do need to build and publish the component - https://github.com/awslabs/aws-greengrass-labs-secretsmanagerclient/issues/1

ss
answered 9 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content