I found that the Greengrass installer is unable to load credentials when I'm using an AWS SSO profile. I'm trying the commands below from this link:
curl -s https://d2s8p88vqu9w66.cloudfront.net/releases/greengrass-nucleus-latest.zip \
> greengrass-nucleus-latest.zip && unzip greengrass-nucleus-latest.zip -d GreengrassInstaller
sudo -E java -Droot="/greengrass/v2" -Dlog.store=FILE -jar ./GreengrassInstaller/lib/Greengrass.jar \
--aws-region us-east-1 \
--thing-name "$ROBOT_ID" \
--thing-group-name "$THING_GROUP_NAME" \
--tes-role-name "$TES_ROLE_NAME" \
--tes-role-alias-name "$TES_ROLE_ALIAS_NAME" \
--provision true \
--setup-system-service true \
This works fine when I have temporary credentials in environment variables (AWS_ACCESS_KEY_ID
, AWS_SECRET_ACCESS_KEY
, AWS_SESSION_TOKEN
). But if I have a default sso profile set up in my ~/.aws/config
file and I obtain temporary credentials for the profile using aws sso login
, the installer is unable to load the credentials. I get the following error:
Error while trying to setup Greengrass Nucleus
software.amazon.awssdk.core.exception.SdkClientException: Unable to load credentials from any of the providers in the chain AwsCredentialsProviderChain(credentialsProviders=[SystemPropertyCredentialsProvider(), EnvironmentVariableCredentialsProvider(), WebIdentityTokenCredentialsProvider(), ProfileCredentialsProvider(profileName=ProfileDev, profileFile=ProfileFile(profilesAndSectionsMap=[{default=Profile(name=default, properties=[sso_session, output, sso_role_name, region, sso_account_id]), ProfileDev=Profile(name=ProfileDev, properties=[sso_session, output, sso_role_name, region, sso_account_id]), ProfileProd=Profile(name=ProfileProd, properties=[sso_session, output, sso_role_name, region, sso_account_id])}, {my-sso=Profile(name=my-sso, properties=[sso_region, sso_start_url, sso_registration_scopes])}])), ContainerCredentialsProvider(), InstanceProfileCredentialsProvider()]) : [SystemPropertyCredentialsProvider(): Unable to load credentials from system settings. Access key must be specified either via environment variable (AWS_ACCESS_KEY_ID) or system property (aws.accessKeyId)., EnvironmentVariableCredentialsProvider(): Unable to load credentials from system settings. Access key must be specified either via environment variable (AWS_ACCESS_KEY_ID) or system property (aws.accessKeyId)., WebIdentityTokenCredentialsProvider(): Either the environment variable AWS_WEB_IDENTITY_TOKEN_FILE or the javaproperty aws.webIdentityTokenFile must be set., ProfileCredentialsProvider(profileName=ProfileDev, profileFile=ProfileFile(profilesAndSectionsMap=[{default=Profile(name=default, properties=[sso_session, output, sso_role_name, region, sso_account_id]), ProfileDev=Profile(name=ProfileDev, properties=[sso_session, output, sso_role_name, region, sso_account_id]), ProfileProd=Profile(name=ProfileProd, properties=[sso_session, output, sso_role_name, region, sso_account_id])}, {my-sso=Profile(name=my-sso, properties=[sso_region, sso_start_url, sso_registration_scopes])}])): To use Sso related properties in the 'ProfileDev' profile, the 'sso' service module must be on the class path., ContainerCredentialsProvider(): Cannot fetch credentials from container - neither AWS_CONTAINER_CREDENTIALS_FULL_URI or AWS_CONTAINER_CREDENTIALS_RELATIVE_URI environment variables are set., InstanceProfileCredentialsProvider(): Failed to load credentials from IMDS.]
at software.amazon.awssdk.core.exception.SdkClientException$BuilderImpl.build(SdkClientException.java:111)
at software.amazon.awssdk.auth.credentials.AwsCredentialsProviderChain.resolveCredentials(AwsCredentialsProviderChain.java:117)
at software.amazon.awssdk.auth.credentials.internal.LazyAwsCredentialsProvider.resolveCredentials(LazyAwsCredentialsProvider.java:45)
at software.amazon.awssdk.auth.credentials.DefaultCredentialsProvider.resolveCredentials(DefaultCredentialsProvider.java:128)
at software.amazon.awssdk.core.internal.util.MetricUtils.measureDuration(MetricUtils.java:54)
at software.amazon.awssdk.awscore.internal.authcontext.AwsCredentialsAuthorizationStrategy.resolveCredentials(AwsCredentialsAuthorizationStrategy.java:100)
at software.amazon.awssdk.awscore.internal.authcontext.AwsCredentialsAuthorizationStrategy.addCredentialsToExecutionAttributes(AwsCredentialsAuthorizationStrategy.java:77)
at software.amazon.awssdk.awscore.internal.AwsExecutionContextBuilder.invokeInterceptorsAndCreateExecutionContext(AwsExecutionContextBuilder.java:125)
at software.amazon.awssdk.awscore.client.handler.AwsSyncClientHandler.invokeInterceptorsAndCreateExecutionContext(AwsSyncClientHandler.java:69)
at software.amazon.awssdk.core.internal.handler.BaseSyncClientHandler.lambda$execute$1(BaseSyncClientHandler.java:78)
at software.amazon.awssdk.core.internal.handler.BaseSyncClientHandler.measureApiCallSuccess(BaseSyncClientHandler.java:179)
at software.amazon.awssdk.core.internal.handler.BaseSyncClientHandler.execute(BaseSyncClientHandler.java:76)
at software.amazon.awssdk.core.client.handler.SdkSyncClientHandler.execute(SdkSyncClientHandler.java:45)
at software.amazon.awssdk.awscore.client.handler.AwsSyncClientHandler.execute(AwsSyncClientHandler.java:56)
at software.amazon.awssdk.services.iot.DefaultIotClient.getPolicy(DefaultIotClient.java:9158)
at com.aws.greengrass.easysetup.DeviceProvisioningHelper.createThing(DeviceProvisioningHelper.java:205)
at com.aws.greengrass.easysetup.GreengrassSetup.provision(GreengrassSetup.java:514)
at com.aws.greengrass.easysetup.GreengrassSetup.performSetup(GreengrassSetup.java:325)
at com.aws.greengrass.easysetup.GreengrassSetup.main(GreengrassSetup.java:274)
I know the temporary credentials are available because aws cli commands work without any issues. Looks like maybe the installer is using an SDK version that doesn't support sso? Is there some way I can make the Greengrass Installer work with this setup? The documentation seems to imply that it should be supported.
Thanks! I opened an issue in the Nucleus repository to see if this support can be built in to the official installer distribution. For anyone who runs into the same issue, I ended up using https://github.com/victorskl/yawsso as a temporary workaround to obtain env variables from sso login. A more suitable workaround for scripting compared to downloading the source, modifying the dependencies, and building for my use case.