By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Force Greengrass Secret Manager component to invalidate secret cache and get a latest one

0

Hi there,

I'm using Greengrass to deploy components to my remote IoT device. I have deployed Greengrass Secret Manager to the device so that my custom component (say component X) can retrieve a secret in AWS Secrets Manager via IPC. It has been working happily.

Recently, I enabled secret rotation in AWS Secrets Manager, which means there's a new secret value every 4 hours (rotation period) for that secret_id. And I now have a problem where Greengrass Secret Manager component seems to cache a stale one for too long. I checked the logs, the one my component X retrieves via Greegrass SM is always a few rotations behind which is no longer valid.

The question: how can I force Greengrasss Secret Manager to always retrieve the latest value upon a call from my custom component X?

Best, Tuan

Topics
Internet of Things (IoT)Security, Identity, & Compliance
Tags
AWS IoT GreengrassAWS Secrets Manager
Language
English
Tuan Dinh
asked a month ago123 views
7 Answers
1

Hi Tuan,

Can you provide us Greengrass logs and also secret manager configuration from /greengrass/v2/config/config.tlog?

Thank you, Urvashi Jain

AWS
Urvashi Jain
answered a month ago
0

Hi Urvashi,

Re.

You can directly use AWS SDK to retrieve the secrets dynamically.

It would be definitely our first preference but would it require some credentials to talk to AWS Secrets Manager in the first place? If it were an application running on AWS infrastructure like EC2, Lambda, it would be a straigthforward task. However, we are talking about an application running on a remote infrastructure (Iot device), how can we obtain the initial credentials to initiate an aws connection to begin with?

In particular, let's say our application is written in Python and we are using python SDK boto3, shouldn't we need to initiate a client like

    query_client = boto3.client('aws-service', aws_access_key_id=access_key, aws_secret_access_key=secret_key)

How do we obtain aws_access_key_id=access_key, aws_secret_access_key=secret_key in the first place?

(Storing these keys locally in the device is security risk which is not an option)

Thanks, Tuan

Tuan Dinh
answered 21 days ago
0

Hi Urvashi, thanks for the prompt response. Please see the below

aws.greengrass.SecretManager's effective configuration in effectiveConfig.yaml

  aws.greengrass.SecretManager:
    componentType: "PLUGIN"
    configuration:
      cloudSecrets:
      - arn: "arn:aws:secretsmanager:ap-southeast-2:myawsaccountid:secret:mysecret2"
      - arn: "arn:aws:secretsmanager:ap-southeast-2:myawsaccountid:secret:mysecret"
    dependencies:
    - "aws.greengrass.Nucleus:SOFT"
    lifecycle: {}
    runtime:
      secretResponse: "{\"secrets\":[{\"arn\":\"arn:aws:secretsmanager:ap-southeast-2:myawsaccountid:secret:mysecret2\"\
        ,\"name\":\"mysecret\",\"versionId\":\"11c44d97-146f-4120-8b25-a44db88c9c86\"\
        ,\"encryptedSecretString\":\"AgV4HUMJetLrI9690IaFABnC7AmrjAGGw/GEm/3s4Ab/AAA+HVtaXW6bc4mfH29YIwn0QbQSST0cEbUCdZVoDWIE98UPaEDb8Fm3CTPX+1J99Al5OSJjvTeW3AVBaIyC7YOFcHfHleXeonEYXPJ4eOcx25mOTTm2YeNNb4SS1gNOZk04pOeIyjvs6af/Zpabg9ch4fZjtvfLCVDVrG6uE3djTJ3IWCLW5owNEUQ9kVtlIjJm2Egx96PAJPefI91kOpjOyEMh/8bu157zAz5/j6T6kPrweYSnoCAAAQAMzmU2/05tpcQXYtyWY0m4RemAE1ADemNEnhXAffHur1LMh7DD0QO/AAj7TFzlQ4Xv////8AAAABAAAAAAAAAAAAAAABAAAAGnWY/KUY/BSsgR8zmOiHnKqh3eM7mk3g2SxkAgEaiZkvUMri8Qd9Op/F8QBnMGUCMQDruocOpPbhXbTY96KyFMG0XGciEsAfX54nCkGlCg9Eq1mTsnRQJsN/5quTQQUmudYCMGjoKjWiBI3onARZeFhVu6taP8wrZsf1Re4MiO/WC8u38O4dWcqQp1kS4OSwG6H/og==\"\
        ,\"versionStages\":[\"AWSCURRENT\"],\"createdDate\":1695197952788},{\"arn\"\
        :\"arn:aws:secretsmanager:ap-southeast-2:myawsaccountid:secret:mysecret\"\
        ,\"name\":\"mysecret\",\"versionId\":\"1d6220bb-700f-4536-aa7d-db9efb3cd891\"\
        ,\"encryptedSecretString\":\"AgV496cpl320jXvn9+6RN3S+AAA/cd4iFjeAG6UYgZAzpFWz+ANPH4SKED+fcNuuGdcXLPey9Qb6Lvzj/WyQZ/aq2JreTL1piH6Zz1qu+vMuCoTfBM+oLGCfVE762TPlYJOG9KbL1f5mzdWUes1+D5cPXSTDnlJ90xNnCt1jEevS/t1drQQhgrkqRbWyTocOYSDGSAAac8VRNb1Dn+QFVBdy09bE+SOf80oiyld0anFRDJvJxCukFFhNMzT8ZWM9oiW3UeCPIAzNHvrsrRFQ/WB8BEP/fkAkYCwuLRP9mBEzqKhkSeoY4RIhKwBeLsLYf1msydZR0ysFyxNg7ywXGYdNuIb1t5gEAgAAEABr2+j9nALVj4sT0zA+dqKXtYmiqA7Tpx+uWP5M+Jr380iTcfn6jWyGePIh9juZIxb/////AAAAAQAAAAAAAAAAAAAAAQAAAINJBRX3R67zXCzKoyewGHebejkfpUNaOYvmJKUPLPIamWubbkP4VdoTMyqayiNX1DIPFetW+zifmcrPkpygwmHbgw3z7rC5jRkax7UMpZ5zpP5Gu9kKPD2t9G4YGHBCS/yaze4ypTJnAWje7UYoaZDnUBzdTzKnQCmi0jKWCdcLBJIHxvx+6oR6U7JktXehRGySRyAAZzBlAjEAjZ6kvmG62wjKVz9C4BdEUcu8EnLqBPqf6+eI3RdoF91IJWj0ZE7cJWTjE1A1siQCAjATGD0t2N9LFC2IRVD+rbT0X9AbB12C1AplyHRj9bE4kl5m30c0NorDVl9pAqCR4WQ=\"\
        ,\"versionStages\":[\"AWSCURRENT\"],\"createdDate\":1711354647995}]}"
    version: "2.1.6"

I can see that the createdDate for arn:aws:secretsmanager:ap-southeast-2:myawsaccountid:secret:mysecret is 1711354647995 which is Mon Mar 25 2024 19:17:27 GMT+1100 (Australian Eastern Daylight Time) (like a week ago) and definitely not the AWSCURRENT As for log inconfig.tlog :

{"TS":1711943821983,"TP":["services","DeploymentService","GroupToRootComponents","thing/my-thing","aws.greengrass.SecretManager","version"],"W":"changed","V":"2.1.6"}
{"TS":1711943821983,"TP":["services","DeploymentService","GroupToRootComponents","thing/my-thing","aws.greengrass.SecretManager","groupConfigArn"],"W":"changed","V":"arn:aws:greengrass:ap-southeast-2:myawsaccountid:configuration:thing/my-thing:43"}
{"TS":1711943821983,"TP":["services","DeploymentService","GroupToRootComponents","thing/my-thing","aws.greengrass.SecretManager","groupConfigName"],"W":"changed","V":"thing/my-thing"}
{"TS":1711943822028,"TP":["services","DeploymentService","ComponentToGroups","aws.greengrass.SecretManager","arn:aws:greengrass:ap-southeast-2:myawsaccountid:configuration:thing/my-thing:43"],"W":"changed","V":"thing/my-thing"}
{"TS":1694757140689,"TP":["services","main","runtime","service-digest","aws.greengrass.SecretManager-v2.1.6"],"W":"changed","V":"AuKl9bgyfyxiTHCdYc7H5vhitLWCu6Xweiio8xVu3tU="}
{"TS":1711943769161,"TP":["services","main","dependencies"],"W":"changed","V":["aws.greengrass.Cli","aws.greengrass.TokenExchangeService","FleetStatusService:HARD","DeploymentService:HARD","aws.greengrass.DockerApplicationManager:HARD","com.myorg.iot.greengrass.SampleComponent","aws.greengrass.LogManager","aws.greengrass.DockerApplicationManager","com.myorg.myservice","aws.greengrass.SecureTunneling","aws.greengrass.SecretManager","com.myorg.iot.greengrass.SampleDockerComponent","aws.greengrass.TokenExchangeService:HARD","TelemetryAgent:HARD","aws.greengrass.Nucleus","aws.greengrass.telemetry.NucleusEmitter","UpdateSystemPolicyService:HARD","aws.greengrass.Nucleus"]}
{"TS":1711943744136,"TP":["services","com.myorg.iot.greengrass.SampleComponent","configuration","accessControl","aws.greengrass.SecretManager","com.myorg.iot.greengrass.SampleComponent:secrets:1","operations"],"W":"changed","V":["aws.greengrass#GetSecretValue"]}
{"TS":1711943744136,"TP":["services","com.myorg.iot.greengrass.SampleComponent","configuration","accessControl","aws.greengrass.SecretManager","com.myorg.iot.greengrass.SampleComponent:secrets:1","policyDescription"],"W":"changed","V":"Allows access to a secret."}
{"TS":1711943744136,"TP":["services","com.myorg.iot.greengrass.SampleComponent","configuration","accessControl","aws.greengrass.SecretManager","com.myorg.iot.greengrass.SampleComponent:secrets:1","resources"],"W":"changed","V":["*"]}
{"TS":1711943744136,"TP":["services","com.myorg.iot.greengrass.SampleComponent","configuration","accessControl","aws.greengrass.SecretManager","com.myorg.iot.greengrass.SampleComponent:secrets:1:","operations"],"W":"changed","V":["aws.greengrass#GetSecretValue"]}
{"TS":1711943744136,"TP":["services","com.myorg.iot.greengrass.SampleComponent","configuration","accessControl","aws.greengrass.SecretManager","com.myorg.iot.greengrass.SampleComponent:secrets:1:","policyDescription"],"W":"changed","V":"Allows access to dev secrets."}
{"TS":1711943744136,"TP":["services","com.myorg.iot.greengrass.SampleComponent","configuration","accessControl","aws.greengrass.SecretManager","com.myorg.iot.greengrass.SampleComponent:secrets:1:","resources"],"W":"changed","V":["arn:aws:secretsmanager:ap-southeast-2:myawsaccountid:secret:mysecret","arn:aws:secretsmanager:ap-southeast-2:myawsaccountid:secret:mysecret2"]}
{"TS":1711943769161,"TP":["services","com.myorg.iot.greengrass.SampleComponent","dependencies"],"W":"changed","V":["aws.greengrass.SecretManager:HARD"]}
{"TS":1711943769161,"TP":["services","aws.greengrass.SecretManager","componentType"],"W":"changed","V":"PLUGIN"}
{"TS":1711943769161,"TP":["services","aws.greengrass.SecretManager","version"],"W":"changed","V":"2.1.6"}
{"TS":1711943744136,"TP":["services","aws.greengrass.SecretManager","configuration","cloudSecrets"],"W":"changed","V":[{"arn":"arn:aws:secretsmanager:ap-southeast-2:myawsaccountid:secret:mysecret"},{"arn":"arn:aws:secretsmanager:ap-southeast-2:myawsaccountid:secret:mysecret2"}]}
{"TS":1711943809273,"TP":["services","aws.greengrass.SecretManager","runtime","secretResponse"],"W":"changed","V":"{\"secrets\":[{\"arn\":\"arn:aws:secretsmanager:ap-southeast-2:myawsaccountid:secret:mysecret\",\"name\":\"mysecret\",\"versionId\":\"11c44d97-146f-4120-8b25-a44db88c9c86\",\"encryptedSecretString\":\"AgV4oUu1pdanQ0BYj6wzOpd1r5PMsILtl5jpRtcGPWVgu6MAwgACAAdDb250ZXh0AFhhcm46YXdzOnNlY3JldHNtYW5hZ2VyOmFwLXNvdXRoZWFzdC0yOjE0Mjk4MjgzNzY4NjpzZWNyZXQ6ZGV2L2hhbC1lZGdlL3Rlc3RTZWNyZXQtWHNGOUU5ABVhd3MtY3J5cHRvLXB1YmxpYy1rZXkAREF2dmttTFFUNGg1V05hQWJsVStDQWsrbTc0RzY0NHVVKy9pSkdITlJYMUQ2dkdEc0FUWTN2QWx4ZzRGTDlOYWdudz09AAEACmdnOnNlY3JldHMAKGI1ZWQyODVlZmFiM2EwZDA0Y2Q3NTQ4ZDg4MGY0Y2JhMDVlOTNhODkBALcIgJe9RTgtG5yrWQAnQQGEBJu5+rznjkqoEV+aD4Lcw8D+XL4BeGeCKrAdoIGCUjS+r+CU8ydcgBy1Z/BZBM6nyzyE8AYmOBezThN0LdK00VJd0fxCOKyWqQOMPDI95GilfE/5xsDnHmYzokWM2YGyVUmfjCzKDmUwrDpUszigS1gZxQ0Jrn+3fXVpy/K8HK44BOQRMo8rIXQxB5qOkbQyuiQ8s0Q8fIaQfOjgYzIut6/3dflVXLoKSreNZINFqdonT00OzpiMDIVxpkC7Dw8mJ1/SuBgVmJ+ptk/pW0+QHV/psqYnOTY6VyKD1dWgbf/l8S4VmzI99QIGbiHmLL0CAAAQAB9GprIqkXk+PtsmcDkoEZubU1VYaTT1wzgWIrl3Cscbh4WdvMgTS3ieqThDVPlc0v////8AAAABAAAAAAAAAAAAAAABAAAAGm4rbdQ75/x+SpmdLRUD5/CnCG1GA76HnpAuTPW6hHZndVmG/M3TBgYpLwBnMGUCMQDYRpoJUZhxO7WLP3qLzwLmuqIfTHlYO3wLMByxaKh3L2xvBqMDtjNYJIata2r/Q4YCMGexLlp/GMFb7nPs6bOayM9FhNLLUGjiHK05UFweVv3hxL5scxCaCgDMfQSXpQwNMg==\",\"versionStages\":[\"AWSCURRENT\"],\"createdDate\":1695197952788},{\"arn\":\"arn:aws:secretsmanager:ap-southeast-2:myawsaccountid:secret:mysecret2\",\"name\":\"mysecret2\",\"versionId\":\"6e683100-6b63-48ca-af24-6d1a4e808725\",\"encryptedSecretString\":\"AgV4iJWpBnw/1CfaLDAT2zsW7BmmmEbz0ZLcTJYm2PnlBSAAzAACAAdDb250ZXh0AGJhcm46YXdzOnNlY3JldHNtYW5hZ2VyOmFwLXNvdXRoZWFzdC0yOjE0Mjk4MjgzNzY4NjpzZWNyZXQ6ZGV2L3RpbWVzdHJlYW0vZGV2VXNlckNyZWRlbnRpYWxzLWZkaXhLYwAVYXdzLWNyeXB0by1wdWJsaWMta2V5AERBZ0NrRWFEcENaNHF4dHUzcnpzUjV5UGFpSEI5enFHSWVzRUhGY3BxZnJUbCtHZXpWenQrSkhrTWRiSHVMQWhIVFE9PQABAApnZzpzZWNyZXRzAChiNWVkMjg1ZWZhYjNhMGQwNGNkNzU0OGQ4ODBmNGNiYTA1ZTkzYTg5AQA6Qv1uGA+ffRUiVCaCsCkR5RY8YuV3wgrCpjLOCPzcVcHHri/XrHveC7An8cyozsyzzfp0g8/aV6xHIioNw9Lp9crIf7qtY//pugI+4JwoXHwv96brD2TWB2J6t4ePg5E1p5JTTWGsmXUkZpTnumsro3vFjXX3Q9lJkS/NfaAPl4izvoF45LZI6zpTUzd9CcDJ7Oanog+esUu7Cxa2pTWz3KxsSY1cy424Cn3KTwTKuoqRar+zGOHwTVBK+1GxMaV8GCL+Y3h3Sy1NKcvDAdLX4GrX1MeFXI2cOQ36c9JRFiD3u3YC3hjaCJZm3ONNoCVrfVuSO4KYhdfI8hYBS/knAgAAEACgsb116RIy5+PIG4ENX0RVt99ErMqA3wxpzq6LfaAiBgVIUGP811qb3Ywnl/l6ndH/////AAAAAQAAAAAAAAAAAAAAAQAAAIPEpXSPK2Nh+Xa1dQn0Q+AjX5NqdB7lNewEpt+wt1xpRYGxm4UoNRO2CNjiXW01Or/qLvYgfNtfEHljMZtnX3j1qkuIkawyFh7f6hzxZxRhzVdzdy+cxZjBm6Y5n/i1E5awfmqlDX4S8Nys+76uHrtSyVQDD76d3y24mGBprExGYVqceHMBU8egjvXWxNyrCM7uKM4AZzBlAjB0zsCdSW5gbf7zCAORb35J3xOlkNiMXMyaZcsTB18YY1ix4nL6OhW0hCp9FoqLKoECMQDH6gyQNcnxXkp04ZDhuvReWVN/faoWToauhw4nX/vqBgyKNOg7qz/cTUToSaeOOnI=\",\"versionStages\":[\"AWSCURRENT\"],\"createdDate\":1711930580103}]}"}
{"TS":1711943769161,"TP":["services","aws.greengrass.SecretManager","dependencies"],"W":"changed","V":["aws.greengrass.Nucleus:SOFT"]}
{"TS":1711943744136,"TP":["services","com.myorg.iot.greengrass.SampleDockerComponent","configuration","accessControl","aws.greengrass.SecretManager","com.myorg.iot.greengrass.SampleDockerComponent:secrets:1","operations"],"W":"changed","V":["aws.greengrass#GetSecretValue"]}
{"TS":1711943744136,"TP":["services","com.myorg.iot.greengrass.SampleDockerComponent","configuration","accessControl","aws.greengrass.SecretManager","com.myorg.iot.greengrass.SampleDockerComponent:secrets:1","policyDescription"],"W":"changed","V":"Allows access to a secret."}
{"TS":1711943744136,"TP":["services","com.myorg.iot.greengrass.SampleDockerComponent","configuration","accessControl","aws.greengrass.SecretManager","com.myorg.iot.greengrass.SampleDockerComponent:secrets:1","resources"],"W":"changed","V":["*"]}
{"TS":1711943744136,"TP":["services","com.myorg.iot.greengrass.SampleDockerComponent","configuration","accessControl","aws.greengrass.SecretManager","com.myorg.iot.greengrass.SampleDockerComponent:secrets:1:","operations"],"W":"changed","V":["aws.greengrass#GetSecretValue"]}
{"TS":1711943744136,"TP":["services","com.myorg.iot.greengrass.SampleDockerComponent","configuration","accessControl","aws.greengrass.SecretManager","com.myorg.iot.greengrass.SampleDockerComponent:secrets:1:","policyDescription"],"W":"changed","V":"Allows access to dev secrets."}
{"TS":1711943744136,"TP":["services","com.myorg.iot.greengrass.SampleDockerComponent","configuration","accessControl","aws.greengrass.SecretManager","com.myorg.iot.greengrass.SampleDockerComponent:secrets:1:","resources"],"W":"changed","V":["arn:aws:secretsmanager:ap-southeast-2:myawsaccountid:secret:mysecret","arn:aws:secretsmanager:ap-southeast-2:myawsaccountid:secret:mysecret2"]}
{"TS":1711943769161,"TP":["services","com.myorg.iot.greengrass.SampleDockerComponent","dependencies"],"W":"changed","V":["aws.greengrass.DockerApplicationManager:HARD","aws.greengrass.TokenExchangeService:HARD","aws.greengrass.SecretManager:HARD"]}
{"TS":1694757145139,"TP":["services","aws.greengrass.SecretManager","lifecycle"],"W":"interiorAdded","V":null}
{"TS":1712125759753,"TP":["services","DeploymentService","runtime","ProcessedDeployments","1712125759751","DeploymentRootPackages"],"W":"changed","V":["aws.greengrass.Cli","aws.greengrass.TokenExchangeService","aws.greengrass.SecureTunneling","aws.greengrass.SecretManager","com.myorg.iot.greengrass.SampleDockerComponent","com.myorg.iot.greengrass.SampleComponent","aws.greengrass.LogManager","aws.greengrass.DockerApplicationManager"]}
{"TS":1712125759753,"TP":["services","DeploymentService","runtime","ProcessedDeployments","1712125759751","DeploymentRootPackages"],"W":"changed","V":["aws.greengrass.Cli","aws.greengrass.TokenExchangeService","aws.greengrass.SecureTunneling","aws.greengrass.SecretManager","com.myorg.iot.greengrass.SampleDockerComponent","com.myorg.iot.greengrass.SampleComponent","aws.greengrass.LogManager","aws.greengrass.DockerApplicationManager"]}
{"TS":1712125764847,"TP":["services","aws.greengrass.SecretManager","componentType"],"W":"timestampUpdated","V":null}
{"TS":1712125755781,"TP":["services","aws.greengrass.SecretManager","configuration","cloudSecrets"],"W":"timestampUpdated","V":null}
{"TS":1712125764847,"TP":["services","aws.greengrass.SecretManager","version"],"W":"timestampUpdated","V":null}
{"TS":1712125764847,"TP":["services","aws.greengrass.SecretManager","dependencies"],"W":"timestampUpdated","V":null}
{"TS":1712125755781,"TP":["services","com.myorg.iot.greengrass.SampleDockerComponent","configuration","accessControl","aws.greengrass.SecretManager","com.myorg.iot.greengrass.SampleDockerComponent:secrets:1","operations"],"W":"timestampUpdated","V":null}
{"TS":1712125755781,"TP":["services","com.myorg.iot.greengrass.SampleDockerComponent","configuration","accessControl","aws.greengrass.SecretManager","com.myorg.iot.greengrass.SampleDockerComponent:secrets:1","policyDescription"],"W":"timestampUpdated","V":null}
{"TS":1712125755781,"TP":["services","com.myorg.iot.greengrass.SampleDockerComponent","configuration","accessControl","aws.greengrass.SecretManager","com.myorg.iot.greengrass.SampleDockerComponent:secrets:1","resources"],"W":"timestampUpdated","V":null}
{"TS":1712125755781,"TP":["services","com.myorg.iot.greengrass.SampleDockerComponent","configuration","accessControl","aws.greengrass.SecretManager","com.myorg.iot.greengrass.SampleDockerComponent:secrets:1:","operations"],"W":"timestampUpdated","V":null}
{"TS":1712125755781,"TP":["services","com.myorg.iot.greengrass.SampleDockerComponent","configuration","accessControl","aws.greengrass.SecretManager","com.myorg.iot.greengrass.SampleDockerComponent:secrets:1:","policyDescription"],"W":"timestampUpdated","V":null}
{"TS":1712125755781,"TP":["services","com.myorg.iot.greengrass.SampleDockerComponent","configuration","accessControl","aws.greengrass.SecretManager","com.myorg.iot.greengrass.SampleDockerComponent:secrets:1:","resources"],"W":"timestampUpdated","V":null}
{"TS":1712125755781,"TP":["services","com.myorg.iot.greengrass.SampleComponent","configuration","accessControl","aws.greengrass.SecretManager","com.myorg.iot.greengrass.SampleCo
Tuan Dinh
answered a month ago
0

and this is relevant log in greengrass.log:

2024-04-03T06:49:52.363Z [INFO] (Thread-6) software.amazon.awssdk.eventstreamrpc.RpcServer: New connection code [AWS_ERROR_SUCCESS] for [Id 3545, Class ServerConnection, Refs 1](2024-04-03T06:49:52.362959Z) - <null>. {}
2024-04-03T06:49:52.364Z [INFO] (Thread-6) software.amazon.awssdk.eventstreamrpc.ServiceOperationMappingContinuationHandler: aws.greengrass#GreengrassCoreIPC authenticated identity: com.myorg.iot.greengrass.SampleComponent. {}
2024-04-03T06:49:52.364Z [INFO] (Thread-6) software.amazon.awssdk.eventstreamrpc.ServiceOperationMappingContinuationHandler: Connection accepted for com.myorg.iot.greengrass.SampleComponent. {}
2024-04-03T06:49:52.364Z [INFO] (Thread-6) software.amazon.awssdk.eventstreamrpc.ServiceOperationMappingContinuationHandler: Sending connect response for com.myorg.iot.greengrass.SampleComponent. {}
2024-04-03T06:49:52.367Z [INFO] (Thread-6) com.aws.greengrass.secretmanager.SecretManagerService: secret-access. requested secret. {secret=arn:aws:secretsmanager:ap-southeast-2:myawsaccountid:secret:mysecret-XsF9E9, serviceName=aws.greengrass.SecretManager, currentState=RUNNING, Principal=com.myorg.iot.greengrass.SampleComponent}
2024-04-03T06:49:52.371Z [INFO] (Thread-6) software.amazon.awssdk.eventstreamrpc.RpcServer: New connection code [AWS_ERROR_SUCCESS] for [Id 3547, Class ServerConnection, Refs 1](2024-04-03T06:49:52.371025Z) - <null>. {}
2024-04-03T06:49:52.371Z [INFO] (Thread-6) software.amazon.awssdk.eventstreamrpc.ServiceOperationMappingContinuationHandler: aws.greengrass#GreengrassCoreIPC authenticated identity: com.myorg.iot.greengrass.SampleComponent. {}
2024-04-03T06:49:52.371Z [INFO] (Thread-6) software.amazon.awssdk.eventstreamrpc.ServiceOperationMappingContinuationHandler: Connection accepted for com.myorg.iot.greengrass.SampleComponent. {}
2024-04-03T06:49:52.371Z [INFO] (Thread-6) software.amazon.awssdk.eventstreamrpc.ServiceOperationMappingContinuationHandler: Sending connect response for com.myorg.iot.greengrass.SampleComponent. {}
2024-04-03T06:49:52.374Z [INFO] (Thread-6) com.aws.greengrass.secretmanager.SecretManagerService: secret-access. requested secret. {secret=arn:aws:secretsmanager:ap-southeast-2:myawsaccountid:secret:mysecret2-fdixKc, serviceName=aws.greengrass.SecretManager, currentState=RUNNING, Principal=com.myorg.iot.greengrass.SampleComponent}
2024-04-03T06:54:52.994Z [INFO] (Thread-6) software.amazon.awssdk.eventstreamrpc.RpcServer: New connection code [AWS_ERROR_SUCCESS] for [Id 3549, Class ServerConnection, Refs 1](2024-04-03T06:54:52.994060Z) - <null>. {}
2024-04-03T06:54:52.994Z [INFO] (Thread-6) software.amazon.awssdk.eventstreamrpc.ServiceOperationMappingContinuationHandler: aws.greengrass#GreengrassCoreIPC authenticated identity: com.myorg.iot.greengrass.SampleDockerComponent. {}
2024-04-03T06:54:52.994Z [INFO] (Thread-6) software.amazon.awssdk.eventstreamrpc.ServiceOperationMappingContinuationHandler: Connection accepted for com.myorg.iot.greengrass.SampleDockerComponent. {}
2024-04-03T06:54:52.995Z [INFO] (Thread-6) software.amazon.awssdk.eventstreamrpc.ServiceOperationMappingContinuationHandler: Sending connect response for com.myorg.iot.greengrass.SampleDockerComponent. {}
2024-04-03T06:54:52.998Z [INFO] (Thread-6) com.aws.greengrass.secretmanager.SecretManagerService: secret-access. requested secret. {secret=arn:aws:secretsmanager:ap-southeast-2:myawsaccountid:secret:mysecret-XsF9E9, serviceName=aws.greengrass.SecretManager, currentState=RUNNING, Principal=com.myorg.iot.greengrass.SampleDockerComponent}
2024-04-03T06:54:53.002Z [INFO] (Thread-6) software.amazon.awssdk.eventstreamrpc.RpcServer: New connection code [AWS_ERROR_SUCCESS] for [Id 3551, Class ServerConnection, Refs 1](2024-04-03T06:54:53.002233Z) - <null>. {}
2024-04-03T06:54:53.002Z [INFO] (Thread-6) software.amazon.awssdk.eventstreamrpc.ServiceOperationMappingContinuationHandler: aws.greengrass#GreengrassCoreIPC authenticated identity: com.myorg.iot.greengrass.SampleDockerComponent. {}
2024-04-03T06:54:53.002Z [INFO] (Thread-6) software.amazon.awssdk.eventstreamrpc.ServiceOperationMappingContinuationHandler: Connection accepted for com.myorg.iot.greengrass.SampleDockerComponent. {}
2024-04-03T06:54:53.002Z [INFO] (Thread-6) software.amazon.awssdk.eventstreamrpc.ServiceOperationMappingContinuationHandler: Sending connect response for com.myorg.iot.greengrass.SampleDockerComponent. {}
2024-04-03T06:54:53.003Z [INFO] (Thread-6) com.aws.greengrass.secretmanager.SecretManagerService: secret-access. requested secret. {secret=arn:aws:secretsmanager:ap-southeast-2:myawsaccountid:secret:mysecret2-fdixKc, serviceName=aws.greengrass.SecretManager, currentState=RUNNING, Principal=com.myorg.iot.greengrass.SampleDockerComponent}
2024-04-03T06:54:53.093Z [INFO] (Thread-6) software.amazon.awssdk.eventstreamrpc.RpcServer: New connection code [AWS_ERROR_SUCCESS] for [Id 3553, Class ServerConnection, Refs 1](2024-04-03T06:54:53.092958Z) - <null>. {}
2024-04-03T06:54:53.093Z [INFO] (Thread-6) software.amazon.awssdk.eventstreamrpc.ServiceOperationMappingContinuationHandler: aws.greengrass#GreengrassCoreIPC authenticated identity: com.myorg.iot.greengrass.SampleComponent. {}
2024-04-03T06:54:53.093Z [INFO] (Thread-6) software.amazon.awssdk.eventstreamrpc.ServiceOperationMappingContinuationHandler: Connection accepted for com.myorg.iot.greengrass.SampleComponent. {}
2024-04-03T06:54:53.094Z [INFO] (Thread-6) software.amazon.awssdk.eventstreamrpc.ServiceOperationMappingContinuationHandler: Sending connect response for com.myorg.iot.greengrass.SampleComponent. {}
2024-04-03T06:54:53.096Z [INFO] (Thread-6) com.aws.greengrass.secretmanager.SecretManagerService: secret-access. requested secret. {secret=arn:aws:secretsmanager:ap-southeast-2:myawsaccountid:secret:mysecret-XsF9E9, serviceName=aws.greengrass.SecretManager, currentState=RUNNING, Principal=com.myorg.iot.greengrass.SampleComponent}
2024-04-03T06:54:53.099Z [INFO] (Thread-6) software.amazon.awssdk.eventstreamrpc.RpcServer: New connection code [AWS_ERROR_SUCCESS] for [Id 3555, Class ServerConnection, Refs 1](2024-04-03T06:54:53.099692Z) - <null>. {}
2024-04-03T06:54:53.100Z [INFO] (Thread-6) software.amazon.awssdk.eventstreamrpc.ServiceOperationMappingContinuationHandler: aws.greengrass#GreengrassCoreIPC authenticated identity: com.myorg.iot.greengrass.SampleComponent. {}
2024-04-03T06:54:53.100Z [INFO] (Thread-6) software.amazon.awssdk.eventstreamrpc.ServiceOperationMappingContinuationHandler: Connection accepted for com.myorg.iot.greengrass.SampleComponent. {}
2024-04-03T06:54:53.100Z [INFO] (Thread-6) software.amazon.awssdk.eventstreamrpc.ServiceOperationMappingContinuationHandler: Sending connect response for com.myorg.iot.greengrass.SampleComponent. {}
2024-04-03T06:54:53.103Z [INFO] (Thread-6) com.aws.greengrass.secretmanager.SecretManagerService: secret-access. requested secret. {secret=arn:aws:secretsmanager:ap-southeast-2:myawsaccountid:secret:mysecret2-fdixKc, serviceName=aws.greengrass.SecretManager, currentState=RUNNING, Principal=com.myorg.iot.greengrass.SampleComponent}

There's no apparent error that I can spot, the IPC connection seems established ok.

Thanks for looking into it,

Thanks.

Tuan Dinh
answered a month ago
0

Hi Tuan,

There is no way to forcefully delete the cache. You have to update the labels to resync the secrets. Please refer public docs: https://docs.aws.amazon.com/greengrass/v2/developerguide/secret-manager-component.html#secret-manager-component-configuration

The secret manager component caches secrets locally. If the secret value changes in Secrets Manager, this component doesn't automatically retrieve the new value. To update the local copy, give the secret a new label and configure this component to retrieve the secret identified by the new label.
AWS
Urvashi Jain
answered a month ago
profile pictureAWS
EXPERT
Greg_B
reviewed a month ago
0

Thanks for the feedback Urvashi,

It sounds like a major limitation with the GG Secret Manager component. It's reasonable to anticipate that the secret stored in AWS Secrets Manager may change, after all, secret rotation is an out of the box feature in AWS Secrets Manager. Requiring a new deployment to refresh the cache is a significant operational overhead.

Can you suggest an alternative for Greengrass device to dynamically retrieve secrets from AWS Secrets Manager?

Best, Tuan

Tuan Dinh
answered 25 days ago
0

Hi Tuan,

Yes we are aware of this restriction. You can directly use AWS SDK to retrieve the secrets dynamically.

Thank you, Urvashi Jain

AWS
Urvashi Jain
answered 25 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content