We have migrated a lambda from AWS Greengrass v1 to AWS Greengrass v2. This lambda needs to extract and decrypt a secret from Greengrass Core.
How can we authorize the component to perform IPC permissions to the lambda for that?
Regular components recipes have the option ComponentConfiguration/DefaultConfiguration/accessControl
.
However when we build the component out of a lambda using AWS CLI create-component-version and option --lambda-function
, there is no option to assign authorization policies.
One way we tried to make it work is by using a merge update in our deployment (as documented here).
"accessControl": {
"aws.greengrass.SecretManager": {
"<my-component>:secrets:1": {
"policyDescription": "Credentials for server running on edge.",
"operations": [
"aws.greengrass#GetSecretValue"
],
"resources": [
"arn:aws:secretsmanager:us-east-1:<account-id>:secret:xxxxxxxxxx"
]
}
}
}
However the end recipe of the component (in the deployment) does not display the accessControl
(AWS Greengrass Console), so we assume it has not been merge updated.
...
"ComponentConfiguration": {
"DefaultConfiguration": {
"lambdaExecutionParameters": {
"EnvironmentVariables": {
"LOG_LEVEL": "DEBUG"
}
},
"containerParams": {
"memorySize": 16384,
"mountROSysfs": false,
"volumes": {},
"devices": {}
},
"containerMode": "NoContainer",
"timeoutInSeconds": 30,
"maxInstancesCount": 10,
"inputPayloadEncodingType": "json",
"maxQueueSize": 200,
"pinned": false,
"maxIdleTimeInSeconds": 30,
"statusTimeoutInSeconds": 30,
"pubsubTopics": {
"0": {
"topic": "dt/app/+/status/update",
"type": "PUB_SUB"
}
}
}
},
Any guidance here would be greatly appreciated! Thanks
We checked using
Greengrass-cli
in GG Core and theaccessControl
is there. Works like a charm! Thanks!