Usando AWS re:Post, accetti AWS re:Post Termini di utilizzo
AWS re:Postre:Post

Force Greengrass Secret Manager component to invalidate secret cache and get a latest one

0

Hi there,

I'm using Greengrass to deploy components to my remote IoT device. I have deployed Greengrass Secret Manager to the device so that my custom component (say component X) can retrieve a secret in AWS Secrets Manager via IPC. It has been working happily.

Recently, I enabled secret rotation in AWS Secrets Manager, which means there's a new secret value every 4 hours (rotation period) for that secret_id. And I now have a problem where Greengrass Secret Manager component seems to cache a stale one for too long. I checked the logs, the one my component X retrieves via Greegrass SM is always a few rotations behind which is no longer valid.

The question: how can I force Greengrasss Secret Manager to always retrieve the latest value upon a call from my custom component X?

Best, Tuan

Argomenti
Internet delle cose (IoT)Sicurezza, identità e conformità
Tag
AWS IoT GreengrassGestore AWS Secrets
Lingua
English
Tuan Dinh
posta un mese fa135 visualizzazioni
7 Risposte
1

Hi Tuan,

Can you provide us Greengrass logs and also secret manager configuration from /greengrass/v2/config/config.tlog?

Thank you, Urvashi Jain

AWS
Urvashi Jain
con risposta un mese fa
0

Hi Urvashi,

Re.

You can directly use AWS SDK to retrieve the secrets dynamically.

It would be definitely our first preference but would it require some credentials to talk to AWS Secrets Manager in the first place? If it were an application running on AWS infrastructure like EC2, Lambda, it would be a straigthforward task. However, we are talking about an application running on a remote infrastructure (Iot device), how can we obtain the initial credentials to initiate an aws connection to begin with?

In particular, let's say our application is written in Python and we are using python SDK boto3, shouldn't we need to initiate a client like

    query_client = boto3.client('aws-service', aws_access_key_id=access_key, aws_secret_access_key=secret_key)

How do we obtain aws_access_key_id=access_key, aws_secret_access_key=secret_key in the first place?

(Storing these keys locally in the device is security risk which is not an option)

Thanks, Tuan

Tuan Dinh
con risposta un mese fa
0

Hi Urvashi, thanks for the prompt response. Please see the below

aws.greengrass.SecretManager's effective configuration in effectiveConfig.yaml

  aws.greengrass.SecretManager:
    componentType: "PLUGIN"
    configuration:
      cloudSecrets:
      - arn: "arn:aws:secretsmanager:ap-southeast-2:myawsaccountid:secret:mysecret2"
      - arn: "arn:aws:secretsmanager:ap-southeast-2:myawsaccountid:secret:mysecret"
    dependencies:
    - "aws.greengrass.Nucleus:SOFT"
    lifecycle: {}
    runtime:
      secretResponse: "{\"secrets\":[{\"arn\":\"arn:aws:secretsmanager:ap-southeast-2:myawsaccountid:secret:mysecret2\"\
        ,\"name\":\"mysecret\",\"versionId\":\"11c44d97-146f-4120-8b25-a44db88c9c86\"\
        ,\"encryptedSecretString\":\"AgV4HUMJetLrI9690IaFABnC7AmrjAGGw/GEm/3s4Ab/AAA+HVtaXW6bc4mfH29YIwn0QbQSST0cEbUCdZVoDWIE98UPaEDb8Fm3CTPX+1J99Al5OSJjvTeW3AVBaIyC7YOFcHfHleXeonEYXPJ4eOcx25mOTTm2YeNNb4SS1gNOZk04pOeIyjvs6af/Zpabg9ch4fZjtvfLCVDVrG6uE3djTJ3IWCLW5owNEUQ9kVtlIjJm2Egx96PAJPefI91kOpjOyEMh/8bu157zAz5/j6T6kPrweYSnoCAAAQAMzmU2/05tpcQXYtyWY0m4RemAE1ADemNEnhXAffHur1LMh7DD0QO/AAj7TFzlQ4Xv////8AAAABAAAAAAAAAAAAAAABAAAAGnWY/KUY/BSsgR8zmOiHnKqh3eM7mk3g2SxkAgEaiZkvUMri8Qd9Op/F8QBnMGUCMQDruocOpPbhXbTY96KyFMG0XGciEsAfX54nCkGlCg9Eq1mTsnRQJsN/5quTQQUmudYCMGjoKjWiBI3onARZeFhVu6taP8wrZsf1Re4MiO/WC8u38O4dWcqQp1kS4OSwG6H/og==\"\
        ,\"versionStages\":[\"AWSCURRENT\"],\"createdDate\":1695197952788},{\"arn\"\
        :\"arn:aws:secretsmanager:ap-southeast-2:myawsaccountid:secret:mysecret\"\
        ,\"name\":\"mysecret\",\"versionId\":\"1d6220bb-700f-4536-aa7d-db9efb3cd891\"\
        ,\"encryptedSecretString\":\"AgV496cpl320jXvn9+6RN3S+AAA/cd4iFjeAG6UYgZAzpFWz+ANPH4SKED+fcNuuGdcXLPey9Qb6Lvzj/WyQZ/aq2JreTL1piH6Zz1qu+vMuCoTfBM+oLGCfVE762TPlYJOG9KbL1f5mzdWUes1+D5cPXSTDnlJ90xNnCt1jEevS/t1drQQhgrkqRbWyTocOYSDGSAAac8VRNb1Dn+QFVBdy09bE+SOf80oiyld0anFRDJvJxCukFFhNMzT8ZWM9oiW3UeCPIAzNHvrsrRFQ/WB8BEP/fkAkYCwuLRP9mBEzqKhkSeoY4RIhKwBeLsLYf1msydZR0ysFyxNg7ywXGYdNuIb1t5gEAgAAEABr2+j9nALVj4sT0zA+dqKXtYmiqA7Tpx+uWP5M+Jr380iTcfn6jWyGePIh9juZIxb/////AAAAAQAAAAAAAAAAAAAAAQAAAINJBRX3R67zXCzKoyewGHebejkfpUNaOYvmJKUPLPIamWubbkP4VdoTMyqayiNX1DIPFetW+zifmcrPkpygwmHbgw3z7rC5jRkax7UMpZ5zpP5Gu9kKPD2t9G4YGHBCS/yaze4ypTJnAWje7UYoaZDnUBzdTzKnQCmi0jKWCdcLBJIHxvx+6oR6U7JktXehRGySRyAAZzBlAjEAjZ6kvmG62wjKVz9C4BdEUcu8EnLqBPqf6+eI3RdoF91IJWj0ZE7cJWTjE1A1siQCAjATGD0t2N9LFC2IRVD+rbT0X9AbB12C1AplyHRj9bE4kl5m30c0NorDVl9pAqCR4WQ=\"\
        ,\"versionStages\":[\"AWSCURRENT\"],\"createdDate\":1711354647995}]}"
    version: "2.1.6"

I can see that the createdDate for arn:aws:secretsmanager:ap-southeast-2:myawsaccountid:secret:mysecret is 1711354647995 which is Mon Mar 25 2024 19:17:27 GMT+1100 (Australian Eastern Daylight Time) (like a week ago) and definitely not the AWSCURRENT As for log inconfig.tlog :

{"TS":1711943821983,"TP":["services","DeploymentService","GroupToRootComponents","thing/my-thing","aws.greengrass.SecretManager","version"],"W":"changed","V":"2.1.6"}
{"TS":1711943821983,"TP":["services","DeploymentService","GroupToRootComponents","thing/my-thing","aws.greengrass.SecretManager","groupConfigArn"],"W":"changed","V":"arn:aws:greengrass:ap-southeast-2:myawsaccountid:configuration:thing/my-thing:43"}
{"TS":1711943821983,"TP":["services","DeploymentService","GroupToRootComponents","thing/my-thing","aws.greengrass.SecretManager","groupConfigName"],"W":"changed","V":"thing/my-thing"}
{"TS":1711943822028,"TP":["services","DeploymentService","ComponentToGroups","aws.greengrass.SecretManager","arn:aws:greengrass:ap-southeast-2:myawsaccountid:configuration:thing/my-thing:43"],"W":"changed","V":"thing/my-thing"}
{"TS":1694757140689,"TP":["services","main","runtime","service-digest","aws.greengrass.SecretManager-v2.1.6"],"W":"changed","V":"AuKl9bgyfyxiTHCdYc7H5vhitLWCu6Xweiio8xVu3tU="}
{"TS":1711943769161,"TP":["services","main","dependencies"],"W":"changed","V":["aws.greengrass.Cli","aws.greengrass.TokenExchangeService","FleetStatusService:HARD","DeploymentService:HARD","aws.greengrass.DockerApplicationManager:HARD","com.myorg.iot.greengrass.SampleComponent","aws.greengrass.LogManager","aws.greengrass.DockerApplicationManager","com.myorg.myservice","aws.greengrass.SecureTunneling","aws.greengrass.SecretManager","com.myorg.iot.greengrass.SampleDockerComponent","aws.greengrass.TokenExchangeService:HARD","TelemetryAgent:HARD","aws.greengrass.Nucleus","aws.greengrass.telemetry.NucleusEmitter","UpdateSystemPolicyService:HARD","aws.greengrass.Nucleus"]}
{"TS":1711943744136,"TP":["services","com.myorg.iot.greengrass.SampleComponent","configuration","accessControl","aws.greengrass.SecretManager","com.myorg.iot.greengrass.SampleComponent:secrets:1","operations"],"W":"changed","V":["aws.greengrass#GetSecretValue"]}
{"TS":1711943744136,"TP":["services","com.myorg.iot.greengrass.SampleComponent","configuration","accessControl","aws.greengrass.SecretManager","com.myorg.iot.greengrass.SampleComponent:secrets:1","policyDescription"],"W":"changed","V":"Allows access to a secret."}
{"TS":1711943744136,"TP":["services","com.myorg.iot.greengrass.SampleComponent","configuration","accessControl","aws.greengrass.SecretManager","com.myorg.iot.greengrass.SampleComponent:secrets:1","resources"],"W":"changed","V":["*"]}
{"TS":1711943744136,"TP":["services","com.myorg.iot.greengrass.SampleComponent","configuration","accessControl","aws.greengrass.SecretManager","com.myorg.iot.greengrass.SampleComponent:secrets:1:","operations"],"W":"changed","V":["aws.greengrass#GetSecretValue"]}
{"TS":1711943744136,"TP":["services","com.myorg.iot.greengrass.SampleComponent","configuration","accessControl","aws.greengrass.SecretManager","com.myorg.iot.greengrass.SampleComponent:secrets:1:","policyDescription"],"W":"changed","V":"Allows access to dev secrets."}
{"TS":1711943744136,"TP":["services","com.myorg.iot.greengrass.SampleComponent","configuration","accessControl","aws.greengrass.SecretManager","com.myorg.iot.greengrass.SampleComponent:secrets:1:","resources"],"W":"changed","V":["arn:aws:secretsmanager:ap-southeast-2:myawsaccountid:secret:mysecret","arn:aws:secretsmanager:ap-southeast-2:myawsaccountid:secret:mysecret2"]}
{"TS":1711943769161,"TP":["services","com.myorg.iot.greengrass.SampleComponent","dependencies"],"W":"changed","V":["aws.greengrass.SecretManager:HARD"]}
{"TS":1711943769161,"TP":["services","aws.greengrass.SecretManager","componentType"],"W":"changed","V":"PLUGIN"}
{"TS":1711943769161,"TP":["services","aws.greengrass.SecretManager","version"],"W":"changed","V":"2.1.6"}
{"TS":1711943744136,"TP":["services","aws.greengrass.SecretManager","configuration","cloudSecrets"],"W":"changed","V":[{"arn":"arn:aws:secretsmanager:ap-southeast-2:myawsaccountid:secret:mysecret"},{"arn":"arn:aws:secretsmanager:ap-southeast-2:myawsaccountid:secret:mysecret2"}]}
{"TS":1711943809273,"TP":["services","aws.greengrass.SecretManager","runtime","secretResponse"],"W":"changed","V":"{\"secrets\":[{\"arn\":\"arn:aws:secretsmanager:ap-southeast-2:myawsaccountid:secret:mysecret\",\"name\":\"mysecret\",\"versionId\":\"11c44d97-146f-4120-8b25-a44db88c9c86\",\"encryptedSecretString\":\"AgV4oUu1pdanQ0BYj6wzOpd1r5PMsILtl5jpRtcGPWVgu6MAwgACAAdDb250ZXh0AFhhcm46YXdzOnNlY3JldHNtYW5hZ2VyOmFwLXNvdXRoZWFzdC0yOjE0Mjk4MjgzNzY4NjpzZWNyZXQ6ZGV2L2hhbC1lZGdlL3Rlc3RTZWNyZXQtWHNGOUU5ABVhd3MtY3J5cHRvLXB1YmxpYy1rZXkAREF2dmttTFFUNGg1V05hQWJsVStDQWsrbTc0RzY0NHVVKy9pSkdITlJYMUQ2dkdEc0FUWTN2QWx4ZzRGTDlOYWdudz09AAEACmdnOnNlY3JldHMAKGI1ZWQyODVlZmFiM2EwZDA0Y2Q3NTQ4ZDg4MGY0Y2JhMDVlOTNhODkBALcIgJe9RTgtG5yrWQAnQQGEBJu5+rznjkqoEV+aD4Lcw8D+XL4BeGeCKrAdoIGCUjS+r+CU8ydcgBy1Z/BZBM6nyzyE8AYmOBezThN0LdK00VJd0fxCOKyWqQOMPDI95GilfE/5xsDnHmYzokWM2YGyVUmfjCzKDmUwrDpUszigS1gZxQ0Jrn+3fXVpy/K8HK44BOQRMo8rIXQxB5qOkbQyuiQ8s0Q8fIaQfOjgYzIut6/3dflVXLoKSreNZINFqdonT00OzpiMDIVxpkC7Dw8mJ1/SuBgVmJ+ptk/pW0+QHV/psqYnOTY6VyKD1dWgbf/l8S4VmzI99QIGbiHmLL0CAAAQAB9GprIqkXk+PtsmcDkoEZubU1VYaTT1wzgWIrl3Cscbh4WdvMgTS3ieqThDVPlc0v////8AAAABAAAAAAAAAAAAAAABAAAAGm4rbdQ75/x+SpmdLRUD5/CnCG1GA76HnpAuTPW6hHZndVmG/M3TBgYpLwBnMGUCMQDYRpoJUZhxO7WLP3qLzwLmuqIfTHlYO3wLMByxaKh3L2xvBqMDtjNYJIata2r/Q4YCMGexLlp/GMFb7nPs6bOayM9FhNLLUGjiHK05UFweVv3hxL5scxCaCgDMfQSXpQwNMg==\",\"versionStages\":[\"AWSCURRENT\"],\"createdDate\":1695197952788},{\"arn\":\"arn:aws:secretsmanager:ap-southeast-2:myawsaccountid:secret:mysecret2\",\"name\":\"mysecret2\",\"versionId\":\"6e683100-6b63-48ca-af24-6d1a4e808725\",\"encryptedSecretString\":\"AgV4iJWpBnw/1CfaLDAT2zsW7BmmmEbz0ZLcTJYm2PnlBSAAzAACAAdDb250ZXh0AGJhcm46YXdzOnNlY3JldHNtYW5hZ2VyOmFwLXNvdXRoZWFzdC0yOjE0Mjk4MjgzNzY4NjpzZWNyZXQ6ZGV2L3RpbWVzdHJlYW0vZGV2VXNlckNyZWRlbnRpYWxzLWZkaXhLYwAVYXdzLWNyeXB0by1wdWJsaWMta2V5AERBZ0NrRWFEcENaNHF4dHUzcnpzUjV5UGFpSEI5enFHSWVzRUhGY3BxZnJUbCtHZXpWenQrSkhrTWRiSHVMQWhIVFE9PQABAApnZzpzZWNyZXRzAChiNWVkMjg1ZWZhYjNhMGQwNGNkNzU0OGQ4ODBmNGNiYTA1ZTkzYTg5AQA6Qv1uGA+ffRUiVCaCsCkR5RY8YuV3wgrCpjLOCPzcVcHHri/XrHveC7An8cyozsyzzfp0g8/aV6xHIioNw9Lp9crIf7qtY//pugI+4JwoXHwv96brD2TWB2J6t4ePg5E1p5JTTWGsmXUkZpTnumsro3vFjXX3Q9lJkS/NfaAPl4izvoF45LZI6zpTUzd9CcDJ7Oanog+esUu7Cxa2pTWz3KxsSY1cy424Cn3KTwTKuoqRar+zGOHwTVBK+1GxMaV8GCL+Y3h3Sy1NKcvDAdLX4GrX1MeFXI2cOQ36c9JRFiD3u3YC3hjaCJZm3ONNoCVrfVuSO4KYhdfI8hYBS/knAgAAEACgsb116RIy5+PIG4ENX0RVt99ErMqA3wxpzq6LfaAiBgVIUGP811qb3Ywnl/l6ndH/////AAAAAQAAAAAAAAAAAAAAAQAAAIPEpXSPK2Nh+Xa1dQn0Q+AjX5NqdB7lNewEpt+wt1xpRYGxm4UoNRO2CNjiXW01Or/qLvYgfNtfEHljMZtnX3j1qkuIkawyFh7f6hzxZxRhzVdzdy+cxZjBm6Y5n/i1E5awfmqlDX4S8Nys+76uHrtSyVQDD76d3y24mGBprExGYVqceHMBU8egjvXWxNyrCM7uKM4AZzBlAjB0zsCdSW5gbf7zCAORb35J3xOlkNiMXMyaZcsTB18YY1ix4nL6OhW0hCp9FoqLKoECMQDH6gyQNcnxXkp04ZDhuvReWVN/faoWToauhw4nX/vqBgyKNOg7qz/cTUToSaeOOnI=\",\"versionStages\":[\"AWSCURRENT\"],\"createdDate\":1711930580103}]}"}
{"TS":1711943769161,"TP":["services","aws.greengrass.SecretManager","dependencies"],"W":"changed","V":["aws.greengrass.Nucleus:SOFT"]}
{"TS":1711943744136,"TP":["services","com.myorg.iot.greengrass.SampleDockerComponent","configuration","accessControl","aws.greengrass.SecretManager","com.myorg.iot.greengrass.SampleDockerComponent:secrets:1","operations"],"W":"changed","V":["aws.greengrass#GetSecretValue"]}
{"TS":1711943744136,"TP":["services","com.myorg.iot.greengrass.SampleDockerComponent","configuration","accessControl","aws.greengrass.SecretManager","com.myorg.iot.greengrass.SampleDockerComponent:secrets:1","policyDescription"],"W":"changed","V":"Allows access to a secret."}
{"TS":1711943744136,"TP":["services","com.myorg.iot.greengrass.SampleDockerComponent","configuration","accessControl","aws.greengrass.SecretManager","com.myorg.iot.greengrass.SampleDockerComponent:secrets:1","resources"],"W":"changed","V":["*"]}
{"TS":1711943744136,"TP":["services","com.myorg.iot.greengrass.SampleDockerComponent","configuration","accessControl","aws.greengrass.SecretManager","com.myorg.iot.greengrass.SampleDockerComponent:secrets:1:","operations"],"W":"changed","V":["aws.greengrass#GetSecretValue"]}
{"TS":1711943744136,"TP":["services","com.myorg.iot.greengrass.SampleDockerComponent","configuration","accessControl","aws.greengrass.SecretManager","com.myorg.iot.greengrass.SampleDockerComponent:secrets:1:","policyDescription"],"W":"changed","V":"Allows access to dev secrets."}
{"TS":1711943744136,"TP":["services","com.myorg.iot.greengrass.SampleDockerComponent","configuration","accessControl","aws.greengrass.SecretManager","com.myorg.iot.greengrass.SampleDockerComponent:secrets:1:","resources"],"W":"changed","V":["arn:aws:secretsmanager:ap-southeast-2:myawsaccountid:secret:mysecret","arn:aws:secretsmanager:ap-southeast-2:myawsaccountid:secret:mysecret2"]}
{"TS":1711943769161,"TP":["services","com.myorg.iot.greengrass.SampleDockerComponent","dependencies"],"W":"changed","V":["aws.greengrass.DockerApplicationManager:HARD","aws.greengrass.TokenExchangeService:HARD","aws.greengrass.SecretManager:HARD"]}
{"TS":1694757145139,"TP":["services","aws.greengrass.SecretManager","lifecycle"],"W":"interiorAdded","V":null}
{"TS":1712125759753,"TP":["services","DeploymentService","runtime","ProcessedDeployments","1712125759751","DeploymentRootPackages"],"W":"changed","V":["aws.greengrass.Cli","aws.greengrass.TokenExchangeService","aws.greengrass.SecureTunneling","aws.greengrass.SecretManager","com.myorg.iot.greengrass.SampleDockerComponent","com.myorg.iot.greengrass.SampleComponent","aws.greengrass.LogManager","aws.greengrass.DockerApplicationManager"]}
{"TS":1712125759753,"TP":["services","DeploymentService","runtime","ProcessedDeployments","1712125759751","DeploymentRootPackages"],"W":"changed","V":["aws.greengrass.Cli","aws.greengrass.TokenExchangeService","aws.greengrass.SecureTunneling","aws.greengrass.SecretManager","com.myorg.iot.greengrass.SampleDockerComponent","com.myorg.iot.greengrass.SampleComponent","aws.greengrass.LogManager","aws.greengrass.DockerApplicationManager"]}
{"TS":1712125764847,"TP":["services","aws.greengrass.SecretManager","componentType"],"W":"timestampUpdated","V":null}
{"TS":1712125755781,"TP":["services","aws.greengrass.SecretManager","configuration","cloudSecrets"],"W":"timestampUpdated","V":null}
{"TS":1712125764847,"TP":["services","aws.greengrass.SecretManager","version"],"W":"timestampUpdated","V":null}
{"TS":1712125764847,"TP":["services","aws.greengrass.SecretManager","dependencies"],"W":"timestampUpdated","V":null}
{"TS":1712125755781,"TP":["services","com.myorg.iot.greengrass.SampleDockerComponent","configuration","accessControl","aws.greengrass.SecretManager","com.myorg.iot.greengrass.SampleDockerComponent:secrets:1","operations"],"W":"timestampUpdated","V":null}
{"TS":1712125755781,"TP":["services","com.myorg.iot.greengrass.SampleDockerComponent","configuration","accessControl","aws.greengrass.SecretManager","com.myorg.iot.greengrass.SampleDockerComponent:secrets:1","policyDescription"],"W":"timestampUpdated","V":null}
{"TS":1712125755781,"TP":["services","com.myorg.iot.greengrass.SampleDockerComponent","configuration","accessControl","aws.greengrass.SecretManager","com.myorg.iot.greengrass.SampleDockerComponent:secrets:1","resources"],"W":"timestampUpdated","V":null}
{"TS":1712125755781,"TP":["services","com.myorg.iot.greengrass.SampleDockerComponent","configuration","accessControl","aws.greengrass.SecretManager","com.myorg.iot.greengrass.SampleDockerComponent:secrets:1:","operations"],"W":"timestampUpdated","V":null}
{"TS":1712125755781,"TP":["services","com.myorg.iot.greengrass.SampleDockerComponent","configuration","accessControl","aws.greengrass.SecretManager","com.myorg.iot.greengrass.SampleDockerComponent:secrets:1:","policyDescription"],"W":"timestampUpdated","V":null}
{"TS":1712125755781,"TP":["services","com.myorg.iot.greengrass.SampleDockerComponent","configuration","accessControl","aws.greengrass.SecretManager","com.myorg.iot.greengrass.SampleDockerComponent:secrets:1:","resources"],"W":"timestampUpdated","V":null}
{"TS":1712125755781,"TP":["services","com.myorg.iot.greengrass.SampleComponent","configuration","accessControl","aws.greengrass.SecretManager","com.myorg.iot.greengrass.SampleCo
Tuan Dinh
con risposta un mese fa
0

and this is relevant log in greengrass.log:

2024-04-03T06:49:52.363Z [INFO] (Thread-6) software.amazon.awssdk.eventstreamrpc.RpcServer: New connection code [AWS_ERROR_SUCCESS] for [Id 3545, Class ServerConnection, Refs 1](2024-04-03T06:49:52.362959Z) - <null>. {}
2024-04-03T06:49:52.364Z [INFO] (Thread-6) software.amazon.awssdk.eventstreamrpc.ServiceOperationMappingContinuationHandler: aws.greengrass#GreengrassCoreIPC authenticated identity: com.myorg.iot.greengrass.SampleComponent. {}
2024-04-03T06:49:52.364Z [INFO] (Thread-6) software.amazon.awssdk.eventstreamrpc.ServiceOperationMappingContinuationHandler: Connection accepted for com.myorg.iot.greengrass.SampleComponent. {}
2024-04-03T06:49:52.364Z [INFO] (Thread-6) software.amazon.awssdk.eventstreamrpc.ServiceOperationMappingContinuationHandler: Sending connect response for com.myorg.iot.greengrass.SampleComponent. {}
2024-04-03T06:49:52.367Z [INFO] (Thread-6) com.aws.greengrass.secretmanager.SecretManagerService: secret-access. requested secret. {secret=arn:aws:secretsmanager:ap-southeast-2:myawsaccountid:secret:mysecret-XsF9E9, serviceName=aws.greengrass.SecretManager, currentState=RUNNING, Principal=com.myorg.iot.greengrass.SampleComponent}
2024-04-03T06:49:52.371Z [INFO] (Thread-6) software.amazon.awssdk.eventstreamrpc.RpcServer: New connection code [AWS_ERROR_SUCCESS] for [Id 3547, Class ServerConnection, Refs 1](2024-04-03T06:49:52.371025Z) - <null>. {}
2024-04-03T06:49:52.371Z [INFO] (Thread-6) software.amazon.awssdk.eventstreamrpc.ServiceOperationMappingContinuationHandler: aws.greengrass#GreengrassCoreIPC authenticated identity: com.myorg.iot.greengrass.SampleComponent. {}
2024-04-03T06:49:52.371Z [INFO] (Thread-6) software.amazon.awssdk.eventstreamrpc.ServiceOperationMappingContinuationHandler: Connection accepted for com.myorg.iot.greengrass.SampleComponent. {}
2024-04-03T06:49:52.371Z [INFO] (Thread-6) software.amazon.awssdk.eventstreamrpc.ServiceOperationMappingContinuationHandler: Sending connect response for com.myorg.iot.greengrass.SampleComponent. {}
2024-04-03T06:49:52.374Z [INFO] (Thread-6) com.aws.greengrass.secretmanager.SecretManagerService: secret-access. requested secret. {secret=arn:aws:secretsmanager:ap-southeast-2:myawsaccountid:secret:mysecret2-fdixKc, serviceName=aws.greengrass.SecretManager, currentState=RUNNING, Principal=com.myorg.iot.greengrass.SampleComponent}
2024-04-03T06:54:52.994Z [INFO] (Thread-6) software.amazon.awssdk.eventstreamrpc.RpcServer: New connection code [AWS_ERROR_SUCCESS] for [Id 3549, Class ServerConnection, Refs 1](2024-04-03T06:54:52.994060Z) - <null>. {}
2024-04-03T06:54:52.994Z [INFO] (Thread-6) software.amazon.awssdk.eventstreamrpc.ServiceOperationMappingContinuationHandler: aws.greengrass#GreengrassCoreIPC authenticated identity: com.myorg.iot.greengrass.SampleDockerComponent. {}
2024-04-03T06:54:52.994Z [INFO] (Thread-6) software.amazon.awssdk.eventstreamrpc.ServiceOperationMappingContinuationHandler: Connection accepted for com.myorg.iot.greengrass.SampleDockerComponent. {}
2024-04-03T06:54:52.995Z [INFO] (Thread-6) software.amazon.awssdk.eventstreamrpc.ServiceOperationMappingContinuationHandler: Sending connect response for com.myorg.iot.greengrass.SampleDockerComponent. {}
2024-04-03T06:54:52.998Z [INFO] (Thread-6) com.aws.greengrass.secretmanager.SecretManagerService: secret-access. requested secret. {secret=arn:aws:secretsmanager:ap-southeast-2:myawsaccountid:secret:mysecret-XsF9E9, serviceName=aws.greengrass.SecretManager, currentState=RUNNING, Principal=com.myorg.iot.greengrass.SampleDockerComponent}
2024-04-03T06:54:53.002Z [INFO] (Thread-6) software.amazon.awssdk.eventstreamrpc.RpcServer: New connection code [AWS_ERROR_SUCCESS] for [Id 3551, Class ServerConnection, Refs 1](2024-04-03T06:54:53.002233Z) - <null>. {}
2024-04-03T06:54:53.002Z [INFO] (Thread-6) software.amazon.awssdk.eventstreamrpc.ServiceOperationMappingContinuationHandler: aws.greengrass#GreengrassCoreIPC authenticated identity: com.myorg.iot.greengrass.SampleDockerComponent. {}
2024-04-03T06:54:53.002Z [INFO] (Thread-6) software.amazon.awssdk.eventstreamrpc.ServiceOperationMappingContinuationHandler: Connection accepted for com.myorg.iot.greengrass.SampleDockerComponent. {}
2024-04-03T06:54:53.002Z [INFO] (Thread-6) software.amazon.awssdk.eventstreamrpc.ServiceOperationMappingContinuationHandler: Sending connect response for com.myorg.iot.greengrass.SampleDockerComponent. {}
2024-04-03T06:54:53.003Z [INFO] (Thread-6) com.aws.greengrass.secretmanager.SecretManagerService: secret-access. requested secret. {secret=arn:aws:secretsmanager:ap-southeast-2:myawsaccountid:secret:mysecret2-fdixKc, serviceName=aws.greengrass.SecretManager, currentState=RUNNING, Principal=com.myorg.iot.greengrass.SampleDockerComponent}
2024-04-03T06:54:53.093Z [INFO] (Thread-6) software.amazon.awssdk.eventstreamrpc.RpcServer: New connection code [AWS_ERROR_SUCCESS] for [Id 3553, Class ServerConnection, Refs 1](2024-04-03T06:54:53.092958Z) - <null>. {}
2024-04-03T06:54:53.093Z [INFO] (Thread-6) software.amazon.awssdk.eventstreamrpc.ServiceOperationMappingContinuationHandler: aws.greengrass#GreengrassCoreIPC authenticated identity: com.myorg.iot.greengrass.SampleComponent. {}
2024-04-03T06:54:53.093Z [INFO] (Thread-6) software.amazon.awssdk.eventstreamrpc.ServiceOperationMappingContinuationHandler: Connection accepted for com.myorg.iot.greengrass.SampleComponent. {}
2024-04-03T06:54:53.094Z [INFO] (Thread-6) software.amazon.awssdk.eventstreamrpc.ServiceOperationMappingContinuationHandler: Sending connect response for com.myorg.iot.greengrass.SampleComponent. {}
2024-04-03T06:54:53.096Z [INFO] (Thread-6) com.aws.greengrass.secretmanager.SecretManagerService: secret-access. requested secret. {secret=arn:aws:secretsmanager:ap-southeast-2:myawsaccountid:secret:mysecret-XsF9E9, serviceName=aws.greengrass.SecretManager, currentState=RUNNING, Principal=com.myorg.iot.greengrass.SampleComponent}
2024-04-03T06:54:53.099Z [INFO] (Thread-6) software.amazon.awssdk.eventstreamrpc.RpcServer: New connection code [AWS_ERROR_SUCCESS] for [Id 3555, Class ServerConnection, Refs 1](2024-04-03T06:54:53.099692Z) - <null>. {}
2024-04-03T06:54:53.100Z [INFO] (Thread-6) software.amazon.awssdk.eventstreamrpc.ServiceOperationMappingContinuationHandler: aws.greengrass#GreengrassCoreIPC authenticated identity: com.myorg.iot.greengrass.SampleComponent. {}
2024-04-03T06:54:53.100Z [INFO] (Thread-6) software.amazon.awssdk.eventstreamrpc.ServiceOperationMappingContinuationHandler: Connection accepted for com.myorg.iot.greengrass.SampleComponent. {}
2024-04-03T06:54:53.100Z [INFO] (Thread-6) software.amazon.awssdk.eventstreamrpc.ServiceOperationMappingContinuationHandler: Sending connect response for com.myorg.iot.greengrass.SampleComponent. {}
2024-04-03T06:54:53.103Z [INFO] (Thread-6) com.aws.greengrass.secretmanager.SecretManagerService: secret-access. requested secret. {secret=arn:aws:secretsmanager:ap-southeast-2:myawsaccountid:secret:mysecret2-fdixKc, serviceName=aws.greengrass.SecretManager, currentState=RUNNING, Principal=com.myorg.iot.greengrass.SampleComponent}

There's no apparent error that I can spot, the IPC connection seems established ok.

Thanks for looking into it,

Thanks.

Tuan Dinh
con risposta un mese fa
0

Hi Tuan,

There is no way to forcefully delete the cache. You have to update the labels to resync the secrets. Please refer public docs: https://docs.aws.amazon.com/greengrass/v2/developerguide/secret-manager-component.html#secret-manager-component-configuration

The secret manager component caches secrets locally. If the secret value changes in Secrets Manager, this component doesn't automatically retrieve the new value. To update the local copy, give the secret a new label and configure this component to retrieve the secret identified by the new label.
AWS
Urvashi Jain
con risposta un mese fa
profile pictureAWS
ESPERTO
Greg_B
verificato un mese fa
0

Thanks for the feedback Urvashi,

It sounds like a major limitation with the GG Secret Manager component. It's reasonable to anticipate that the secret stored in AWS Secrets Manager may change, after all, secret rotation is an out of the box feature in AWS Secrets Manager. Requiring a new deployment to refresh the cache is a significant operational overhead.

Can you suggest an alternative for Greengrass device to dynamically retrieve secrets from AWS Secrets Manager?

Best, Tuan

Tuan Dinh
con risposta un mese fa
0

Hi Tuan,

Yes we are aware of this restriction. You can directly use AWS SDK to retrieve the secrets dynamically.

Thank you, Urvashi Jain

AWS
Urvashi Jain
con risposta un mese fa

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande

Contenuto pertinente