AWS GreenGrass V2 Lambda - Token Exchange Service not loading credentials before the lambda is invoked

Question

I am running a lambda on a greengrass core device and the lambda is invoked from an IOT Core message. The topic has a retained flag so the device gets the message if it is offline when published.
When I restart the device and the lambda subscribes to the topic and the lambda is invoked immediately I get a `CredentialsProviderError: Could not load credentials from any providers.` If I then run publish the same message again after 5-10 seconds the lambda executed with no errors. Its as if the lambda is not loading the credentials before it is invoked. Is there a work around for this? I have the TokenExchangeService as a hard dependency for the lambda component:

```
 "aws.greengrass.TokenExchangeService": {
      "VersionRequirement": ">=2.0.0 <3.0.0",
      "DependencyType": "HARD"
```

Answer

Hello Phil,

This is the expected behavior; credentials are not fetched until they are requested from the token exchange service (TES) by some application. All lambdas, for example, depend on TES by default, but not all lambdas may actually want or need credentials, so they are only fetched from AWS when something actually requests them.

Your lambda should retry the failed API call which will cause the credentials to be requested again. It should succeed on retries as long as the device is connected to the internet and is allowed to get credentials. Verify in /greengrass/v2/logs/greengrass.log that there are no errors when requesting credentials. You will see "Received IAM credentials that will be cached until" in the log file when credentials are successfully retrieved by Greengrass and cached.

Cheers,

Michael

AWS GreenGrass V2 Lambda - Token Exchange Service not loading credentials before the lambda is invoked

相關內容