Greengrass: Credentials in a Recipe Component

Question

Hello,

What's the best practice for embedding credentials in a Greengrass Recipe Component configuration. I have a recipe that includes: 
```
    Lifecycle:
      Install: pip3 install -r {artifacts:decompressedPath}/ComponentName/requirements.txt --extra-index-url=https://${USERNAME}:${PASSWORD}@company.jfrog.io/artifactory/api/pypi/company-pypi/simple
```
I'm not sure how best to make `${USERNAME}` and `${PASSWORD}` available during the install phase. Initially I was hoping to use the Secrets Manager component, but that'd require using the IoT SDK within the component code.

Thanks!

Accepted Answer

Use of SecretsManager provides secure way to provide credentials to Greengrass components.

You can use https://github.com/awslabs/aws-greengrass-labs-secretsmanagerclient to avoid having to code the interaction with the IPC API and be able to retrieve the secret directly in the lifecycle script.

An example on how to use it can be seen in  https://github.com/awslabs/aws-greengrass-labs-nodered-auth/blob/9ff4371f76298aabeb9b4bb736fa86028ae6f09c/recipe.yaml#L35.

For your specific exmaple, the lifecyle recipe would contain something like:

```
Lifecycle:
    Install: |- 
        export USERNAME="{configuration:/USERNAME}"
        export PASSWORD=$(java -jar {aws.greengrass.labs.SecretsManagerClient:artifacts:path}/secrets.jar {configuration:/USERNAME})
        pip3 install -r {artifacts:decompressedPath}/ComponentName/requirements.txt --extra-index-url=https://${USERNAME}:${PASSWORD}@company.jfrog.io/artifactory/api/pypi/company-pypi/simple
```

Greengrass: Credentials in a Recipe Component

Contenus pertinents