AWS Greengrass V2 Secure Tunneling Component

0

Hi Team,

We are facing an issue while using SecureTunneling component provided by AWS itself. Getting following permission related issues when checked "aws.greengrass.SecureTunneling.log" following lines are printed. Moreover, when create tunnel for that specific device from AWS Console. Both the end connection is successfully shown after running localproxy from source token.

But with localproxy while trying to SSH with following command nothing works.

ssh root@localhost -p 5555

On Device "aws.greengrass.SecureTunneling.log" error is as below :

2024-06-27T12:02:38.255Z [INFO] (Copier) aws.greengrass.SecureTunneling: stdout. [ERROR] 2024-06-27 12:02:38.254 [pool-3-thread-1] SubscribeResponseHandler - Secure Tunneling Process: 2024-06-27T12:02:38.234Z [WARN] {FileUtils.cpp}: Per missions to given file/dir path '/tmp/device-client-settings.json90018860253406727291719489691381' is not set to recommended value... {Permissions: {desired: 640, actual: 644}}. {scriptName=services.aws.greengrass.SecureTunneling.lifecyc le.run.script, serviceName=aws.greengrass.SecureTunneling, currentState=RUNNING}

OS installed on device is ubuntu with arm64 architecture. I do have provided merge/update in component with following configuration.

{ "reset": [], "merge": { "OS_DIST_INFO": "ubuntu" } }

  • Hello, can you confirm if the tunnel is successfully connected to both source and destination and you do not see any error connecting to your destination device?

  • @Harsh Gandhi,

    Yes on AWS Console Both the "Source connection state" shows "Connected" and "Destination connection state" is also "Connected". In "aws.greengrass.SecureTunneling.log" file I can see following logs

    2024-06-28T06:04:00.422Z [INFO] (Copier) aws.greengrass.SecureTunneling: stdout. [ERROR] 2024-06-28 06:04:00.421 [pool-3-thread-1] SubscribeResponseHandler - Secure Tunneling Process: 2024- 06-28T06:04:00.407Z [WARN] {FileUtils.cpp}: Permissions to given file/dir path '/tmp/' is not set to recommended value... {Permissions: {desired: 745, actual: 777}}. {scriptName=services.a ws.greengrass.SecureTunneling.lifecycle.run.script, serviceName=aws.greengrass.SecureTunneling, currentState=RUNNING} 2024-06-28T06:04:00.422Z [INFO] (Copier) aws.greengrass.SecureTunneling: stdout. [ERROR] 2024-06-28 06:04:00.422 [pool-3-thread-1] SubscribeResponseHandler - Secure Tunneling Process: 2024- 06-28T06:04:00.407Z [WARN] {FileUtils.cpp}: Permissions to given file/dir path '/tmp/device-client-settings.json34314196159576202461719554194981' is not set to recommended value... {Permis sions: {desired: 640, actual: 644}}. {scriptName=services.aws.greengrass.SecureTunneling.lifecycle.run.script, serviceName=aws.greengrass.SecureTunneling, currentState=RUNNING} 2024-06-28T06:04:00.422Z [INFO] (Copier) aws.greengrass.SecureTunneling: stdout. [ERROR] 2024-06-28 06:04:00.422 [pool-3-thread-1] SubscribeResponseHandler - Secure Tunneling Process: 2024- 06-28T06:04:00.407Z [WARN] {Config.cpp}

  • Considering versions and requirements, we do have two devices one device where secure tunneling is working having Python version Python 3.10.6 and nucleus version AWS Greengrass v2.7.0 , other device where secure tunneling not working though on AWS Console we are able to see both status connected having Python 3.12.3 and AWS Greengrass v2.12.6.

    When I was doing comparision of logs on both infra printing are same with ERROR of permissions but device having Python version Python 3.10.6 and nucleus version AWS Greengrass v2.7.0 is working properly I am able to do SSH with localproxy after hand sacking.

  • Thank you for responding back. I do not think the error messages are something you need to worry about. If you check the complete message, you can see they are logged as warning logs. Give us sometime to reproduce the issue locally to see if there is anything I am missing.

  • Hello, we were not able to reproduce the issue locally. Are you still facing the same issue or were you able to resolve it?

asked 4 months ago186 views
1 Answer
1

You can change the file permission with a chmod command.

Additionally, AWS IoT Secure Tunneling might run into connectivity issues even if the tunnel is open. One possible solution is to rotate the client access tokens. If you’re not sure whether the client access token needs to be rotated on the source or destination, you can rotate the client access token on both the source and destination by setting ClientMode to ALL when using the RotateTunnelAccessToken API.

Look at the doc: https://docs.aws.amazon.com/iot/latest/developerguide/iot-secure-tunneling-troubleshooting.html

profile picture
EXPERT
answered 3 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions