We have a few AWS Greengrass components written in Python. These are currently being installed using the Install
lifecycle in the component recipe. The components have a few external dependecies that are being installed using pip
. Originally these dependencies were installed directly from pypi.org
but we have moved these to be hosted in CodeArtifact instead (where we also have a few internal Python packages that we use). Since CodeArtifact requires an authorization token when configuring pip
, we wrote a small Python script which obtains the token using the boto3
API which is then used to configure pip
according to these instructions: https://docs.aws.amazon.com/codeartifact/latest/ug/python-configure-pip.html. The IoT policy used by the Greengrass device has the necessary privileges to download packages from CodeArtifact.
This seemed to work fine, but know we have discovered that sometimes (during e.g. a reboot of the Greengrass serviec), the token cannot be obtained in time for the installation lifecycle. The reason seems to be that the aws.greengrass.TokenExchangeService
has not yet launched - we have specified this component as a dependency, but the dependencies appear to be only for the Run
part of the lifecycle, not the Install
phase. The only workaround we have found so far is to move the package installation commands to the Run
lifecycle instead - then the aws.greengrass.TokenExchangeService
is up and running. But this doesn't seem to be the "correct" way.
Is there another recommended way to use CodeArtifact with Greengrass to make this work in a better way? Or is it possible to specify the aws.greengrass.TokenExchangeService
as an installation dependency somehow?
Ok, then it was like we suspected - thanks for the input.