get stable credential for IoT Greengrass device

0

I have an already working Greengrass Device. I know that the documented way to handle AWS cred access is through some IoT method that gives you a 12-hour cred. I want to run a long-running service on the device, (telegraf) that requires a standard long-term cred.

I'd appreciate suggestions on the easiest way to do this, in a scalable fashion. (ie: "go make a credential one time by hand" doesnt fit the need here) I'd like some kind of method that will work for 100s of greengrass devices, each getting their own unique AWS credential file.

5 回答
0
已接受的回答

Some more info that may end up being helpful to people in the long term.

For ease of use, I switched to using fluentd+timestream plugin, rather then telegraf. Based on things I read elsewhere, I was hoping that so long as the same instance kept running, it would keep working after the initial successful connection.

This was not the case. When the credential expired, its ability to write terminated.

so i will have to stick to my original approach. It turns out that ChatGPT is really good at answering my actual question, so asking it, "write a lambda that creates a permenant credential" works very nicely.

已回答 1 年前
profile picture
专家
已审核 2 个月前
0

Hi - Thanks for your question. As you are aware, the AWS IoT Core Credential Provider can issue a credential with a maximum lifetime is 43,200 seconds (12 hours). Having the credential be valid for up to 12 hours can help reduce the number of calls to the credential provider by caching the credential longer. Reference : https://docs.aws.amazon.com/iot/latest/developerguide/authorizing-direct-aws.html

In another solution, you could configure an AWS Lambda rule that ingests your device data and sends it to another AWS service. However, in applications (not sure if yours is fitting the needs) that require the uploading of large files such as videos or aggregated telemetry to the AWS Cloud, you may want your devices to be able to authenticate and send data directly to the AWS service of your choice.

profile pictureAWS
专家
已回答 1 年前
0

Generically, Greengrass acts as a credential provider to the AWS SDK for components Greengrass manages. It exposes an environment variable to applications which the SDK uses to request temporary credentials. When those credentials expire, the SDK will request new credentials automatically. You can run long running applications without needing to deploy "long-term" credentials. See https://docs.aws.amazon.com/greengrass/v2/developerguide/interact-with-aws-services.html for details.

For your specific case, are you looking to use telegraf with timestream? https://github.com/influxdata/telegraf/tree/master/plugins/outputs/timestream#configuration says that it can pick up credentials from environment variables (it looks like internally it is uses the AWS SDK v2 for go).

On your device, is Greengrass managing the telegraf process? If Greengrass runs the application, it can provide the environment variable needed to receive credentials.

AWS
Rob
已回答 1 年前
0

To add on Nitin's and Rob's answers, depending on how telegraf uses the AWS Go SDK, the AWS_CONTAINER_CREDENTIALS_FULL_URI provided by the Token Exchange Service may automatically vend and refresh credentials from the Role Alias. I'd create a Greengrass component that wraps the Startup and Shutdown steps for telegraf, at which point the environment variable will be available to the process. I'm not familiar with how telegraf uses AWS credentials from the config file, but if you leave uncommented, this will quickly test if it works or not.

Interacting with AWS Services might be of help too.

AWS
Gavin_A
已回答 1 年前
-2
profile pictureAWS
nemf
已回答 1 年前
  • You didnt read my question carefully. The article you referenced is about how to rotate expiring creds. But I said I want a cred that DOES NOT EXPIRE, aka "long term".

您未登录。 登录 发布回答。

一个好的回答可以清楚地解答问题和提供建设性反馈,并能促进提问者的职业发展。

回答问题的准则