Questions tagged with AWS IoT Greengrass

We are looking into iot device management solutions and are analyzing the AWS iot core and greengrass among other products. Our iot devices can be of different types and we will also have zebra devices on android. The AWS iot documents mention that greengrass is supported on Linux and windows. Can we effectively use it for Android devices also? Also we are looking at fleet provisioning of the iot devices. Is this supported for Android devices? Thank you.

Hello, We need to build IoT using Greengrass. While OEM flash the OS and Prerequisite Software into Device, We alos need to install the custom component and public component latest version into Device. When Device is shipped to end-user, the user will do on boarding via SSO and than Device will sent http request (SSO Token Auth) for certificate using lambda functions. Once device is registered using lambda function, device will receive the device certificate and than start communicating to the IoT Core. Assuming that the component is already there in device and it will start functioning. Later on from the Cloud whenever there is new version's are available, Cloud will auto initiate new deployment to the devices. Questions is can we have pre loaded public/private component with Greengrass installer Thanks in advance.

Hi there, I am trying to develop unit tests in python language for simple AWS Greengrass components, using pytest framework and simulating a temperature sensor. The point here is that I have a SonarQube process running right now locally on my computer, and its main purpose is to check both the code quality and the testing coverage. The first task was easy to make it work, but for testing task, I am able to achieve it only if I ignore the AWS parts, but that is not the way I would like to follow, the whole code should be checked. Is there any guide I might follow in order to achieve it? Thanks beforehand, looking forward to hearing from you. Kind regards Daniel.

Is there any way to interact with local shadows in ggv2 from a nodejs lambda? I know IPC is not supported in the js sdk, but maybe an mqtt client in a lambda could connect to the mqtt components. Thanks in advance for any ideas other than a python rewrite which I am working on, but, looking for a solution to get ggv2 running with ggv1 lambdas while working on python conversion.

does anyone know what the date/time format is called that is used in greengrass the **2022-06-15T08:26:23.770Z** in for example /greengrass/v2/logs/greengrass.log **2022-06-15T08:26:23.770Z** [INFO] (Thread-5) com.aws.greengrass.shadowmanager.ipc.UpdateThingShadowRequestHandler: Successfully updated shadow. {service-name=au.com.blabla.gg_shadow_config, thing name=smartdvr-1423019132001, shadow name=config1, local-version=20102} I'm trying to match the greengrass log format using normal python `logging.Formatter` for some non-greengrass related logfiles, but use 1 logfile_upload component to do one-shot logfile request,response to CloudWatch, and it would be easier if they are all in the same format. ``` logging.Formatter.formatTime = (lambda self, record, datefmt=None: datetime.datetime.fromtimestamp(record.created, datetime.timezone.utc).astimezone().isoformat(sep="T",timespec="milliseconds")) ``` gets very close `2021-08-05T22:43:02.985614+00:00 Something logged here ` but **+00:00** needs to be replaced with **Z** https://en.wikipedia.org/wiki/ISO_8601 describes both the +00:00 and the Z , so it doesn't help me with finding examples

I am importing lambdas as components for ggv2 using the AWS CLI. The lambdas import successfully but when I deploy to greengrass v2 I get the following error: > Error occurred while processing deployment. {deploymentId=********************, serviceName=DeploymentService, currentState=RUNNING}java.util.concurrent.ExecutionException: com.aws.greengrass.componentmanager.exceptions.NoAvailableComponentVersionException: No local or cloud component version satisfies the requirements. Check whether the version constraints conflict and that the component exists in your AWS account with a version that matches the version constraints. If the version constraints conflict, revise deployments to resolve the conflict. Component devmgmt.device.scheduler version constraints: thinggroup/dev-e01 requires =3.0.61. at java.base/java.util.concurrent.FutureTask.report(FutureTask.java:122) The version exists as it was imported successfully but the artifact is not transferred to the Greengrass Core. If I import the lambda from the AWS Management Console then it works as expected. Here is my CLI json input file and the command I am running. What am I missing? `aws greengrassv2 create-component-version --cli-input-json file://lambda-import-worker.json` *lambda-import-worker.json file:* ``` { "lambdaFunction": { "lambdaArn": "arn:aws:lambda:*******:***************:function:devmgmt-worker:319", "componentName": "devmgmt.device.scheduler", "componentVersion": "3.0.61", "componentPlatforms": [ { "name": "Linux amd64", "attributes": { "os": "All", "platform": "All" } } ], "componentDependencies": { "aws.greengrass.TokenExchangeService":{ "versionRequirement": ">=2.0.0 <3.0.0", "dependencyType": "HARD" }, "aws.greengrass.LambdaLauncher": { "versionRequirement": ">=2.0.0 <3.0.0", "dependencyType": "HARD" }, "aws.greengrass.LambdaRuntimes": { "versionRequirement": ">=2.0.0 <3.0.0", "dependencyType": "SOFT" } }, "componentLambdaParameters": { "maxQueueSize": 1000, "maxInstancesCount": 100, "maxIdleTimeInSeconds": 120, "timeoutInSeconds": 60, "statusTimeoutInSeconds": 60, "pinned": true, "inputPayloadEncodingType": "json", "environmentVariables": {}, "execArgs": [], "linuxProcessParams": { "isolationMode": "NoContainer" }, "eventSources": [ { "topic": "device/notice", "type": "PUB_SUB" }, { "topic": "$aws/things/thingnameManager/shadow/name/ops/update/accepted", "type": "IOT_CORE" }, { "topic": "dev/device", "type": "IOT_CORE" } ] } } } ```

I created a component using "Recipe as YAML" ``` --- RecipeFormatVersion: '2020-01-25' ComponentName: com.example.MyPrivateDockerComponent ComponentVersion: '1.0.0' ComponentDescription: 'A component that runs a Docker container from a private Amazon ECR image.' ComponentPublisher: Amazon ComponentDependencies: aws.greengrass.DockerApplicationManager: VersionRequirement: ~2.0.0 aws.greengrass.TokenExchangeService: VersionRequirement: ~2.0.0 Manifests: - Platform: os: all Lifecycle: Run: docker run <accountID>.dkr.ecr.us-east-1.amazonaws.com/demo:latest Artifacts: - URI: "docker:<accountID>.dkr.ecr.us-east-1.amazonaws.com/demo:latest" ``` i have tried to install docker-ce docker-ce-cli by using ``` Install: RequiresPrivilege: true Script: apt-get install docker-ce docker-ce-cli containerd.io ``` after component created i tried to deploy it in core but it is showing:- ``` FAILED_NO_STATE_CHANGE: Failed to download artifact name: 'docker:<accountID>.dkr.ecr.us-east-1.amazonaws.com/demo:latest' for component com.example.Test7-1.0.0, reason: Failed to get auth token for docker login ```

I have a manifest file which looks like : ``` { "Platform": { "os": "all" }, "Lifecycle": { "Setenv": { "ENDPOINT": "Test_endpoint" }, "Run": "docker rm core -f && docker rm A -f && docker rm B -f && docker rm C -f && docker-compose -f {artifacts:path}/docker-compose.yml up -d" }, "Artifacts": [ { "URI": "docker:D" }, { "URI": "s3://bucket/docker-compose.yml" }, { "URI": "docker:C" }, { "URI": "docker:B" }, { "URI": "docker:A" } ] } ``` and in docker compose file ``` service: image: "XXXXX.dkr.ecr.us-east-1.amazonaws.com/service-1.0:latest" container_name: service network_mode: host environment: AWS_GG_NUCLEUS_DOMAIN_SOCKET_FILEPATH_FOR_COMPONENT: ${AWS_GG_NUCLEUS_DOMAIN_SOCKET_FILEPATH_FOR_COMPONENT} SVCUID: ${SVCUID} AWS_CONTAINER_CREDENTIALS_FULL_URI: ${AWS_CONTAINER_CREDENTIALS_FULL_URI} AWS_CONTAINER_AUTHORIZATION_TOKEN: ${AWS_CONTAINER_AUTHORIZATION_TOKEN} AWS_REGION: ${AWS_REGION} AWS_IOT_THING_NAME: ${AWS_IOT_THING_NAME} ENDPOINT: ${ENDPOINT} depends_on: - core - ledservice - scannerservice volumes: - ${AWS_GG_NUCLEUS_DOMAIN_SOCKET_FILEPATH_FOR_COMPONENT}:${AWS_GG_NUCLEUS_DOMAIN_SOCKET_FILEPATH_FOR_COMPONENT} command: --uri localhost:4400 --port 9100 --name stow ``` But i am unable to retrieve the value of ENDPOINT in my docker container using System.getEnv("ENDPOINT") or print all the environment variable using printenv on SSH. Value being returned is 'ENDPOINT=' i.e. empty. What am i doing wrong here? because i could not find much references where Setenv is being used or how to use it using docker.

I've created a Node.js Lambda function based on the examples found here (https://github.com/aws-samples/aws-greengrass-lambda-functions) and imported it as a Greengrass V2 component. Additionally, I've configured the Lambda function component as a 'pinned' or 'long-lived' function (i.e., it should remain running in the background). Also, the Lambda function is configured NOT to run in a Greengrass container (i.e., `NoContainer`). Initially, upon deploying the Lambda function, it would not run at all. Then, after increasing the `timeoutInSeconds` value from 3 to 60, I was able to see the function start and run, but then it is promptly killed via `SIGTERM` after ~60 seconds. Increasing the `timeoutInSeconds` value to the max allowed (2147483647) doesn't seem to change the behavior either (and isn't really a good solution). Since a 'pinned' function should be able to run indefinitely, I would think the `timeoutInSeconds` value would not matter to the execution of the function (i.e., Greengrass should not kill it)? I have seen some older comments/notes from other users (https://www.repost.aws/questions/QUJcrxYJosQHe_jTAyaAzYOw/issues-node-js-hello-world-running-core-1-9-2) that this can happen when the `callback()` function is not called in your Lambda's handler function, but I tried this, and it did not seem to fix the issue. I also tried using an asynchronous (`async`) handler, but this didn't behave any differently. Is there another setting that must be configured properly in Greengrass V2? The Lambda component? The Lambda function itself? Do I need construct the Lambda handler in a specific way? Are there any better examples of Lambda functions for Greengrass than what is at the link above? Thanks!

As HSM we are using the microchip tech ATECC608A. We are using that in Greengrass v1 and it is properly working. Here is the configuration example: ``` "IoTCertificate": { "privateKeyPath": "pkcs11:object=device;type=private", "certificatePath": "file:///path-to-core-device-certificate/xxx.pem.crt" } ``` In this, we are giving certificatePath that is available on the device. but in Greengrass v2 we have to specify the certificateFilePath as "pkcs11:object=device;type=cert". Example config.yaml ``` certificateFilePath: "pkcs11:object=iotdevicekey;type=cert" privateKeyPath: "pkcs11:object=iotdevicekey;type=private" ``` So is there any way to use the on-device connection certificate path in "certificateFilePath" attribute or do I have to write connection certificate in chip?

I have created a component using GreengrassV2 and running multiple containers inside this component. Now, my requirement is to call API Gateway and fetch some data into one of the docker containers running on the local device inside the component. I am using "import com.amazonaws.auth.DefaultAWSCredentialsProviderChain;" for fetching the credentials but getting ``` 05:45:06.476 INFO - Calling API Gateway with request params com.amazon.spiderIoT.stowWorkcell.entities.ApiGatewayRequest@e958e637 Exception in thread "main" com.amazonaws.SdkClientException: Unable to load AWS credentials from any provider in the chain: [EnvironmentVariableCredentialsProvider: Unable to load AWS credentials from environment variables (AWS_ACCESS_KEY_ID (or AWS_ACCESS_KEY) and AWS_SECRET_KEY (or AWS_SECRET_ACCESS_KEY)), SystemPropertiesCredentialsProvider: Unable to load AWS credentials from Java system properties (aws.accessKeyId and aws.secretKey), WebIdentityTokenCredentialsProvider: To use assume role profiles the aws-java-sdk-sts module must be on the class path., com.amazonaws.auth.profile.ProfileCredentialsProvider@7c36db44: profile file cannot be null, com.amazonaws.auth.EC2ContainerCredentialsProviderWrapper@6c008c24: Failed to connect to service endpoint: ] at com.amazonaws.auth.AWSCredentialsProviderChain.getCredentials(AWSCredentialsProviderChain.java:136) at com.amazonaws.http.AmazonHttpClient$RequestExecutor.getCredentialsFromContext(AmazonHttpClient.java:1269) at com.amazonaws.http.AmazonHttpClient$RequestExecutor.runBeforeRequestHandlers(AmazonHttpClient.java:845) at com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:794) at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:781) at com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:755) at com.amazonaws.http.AmazonHttpClient$RequestExecutor.access$500(AmazonHttpClient.java:715) at com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(AmazonHttpClient.java:697) at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:561) at com.amazon.spiderIoT.stowWorkcell.client.ApiGatewayClient.execute(ApiGatewayClient.java:134) at com.amazon.spiderIoT.stowWorkcell.client.ApiGatewayClient.execute(ApiGatewayClient.java:79) at com.amazon.spiderIoT.stowWorkcell.StowWorkcellService.startMQTTSubscriberForSortLocationEvents(StowWorkcellService.java:120) at com.amazon.spiderIoT.stowWorkcell.StowWorkcellService.onInitialize(StowWorkcellService.java:65) at com.amazon.spideriot.sdk.service.Service.run(Service.java:79) at com.amazon.spiderIoT.stowWorkcell.StowWorkcellServiceDriver.main(StowWorkcellServiceDriver.java:26) ``` My dependencyConfiguration looks like :- ``` { "aws.greengrass.TokenExchangeService": { "componentVersion": "2.0.3", "DependencyType": "HARD" }, "aws.greengrass.DockerApplicationManager": { "componentVersion": "2.0.4" }, "aws.greengrass.Cloudwatch": { "componentVersion": "3.0.0" }, "aws.greengrass.Nucleus": { "componentVersion": "2.4.0", "configurationUpdate": { "merge": "{\"logging\":{\"level\":\"INFO\"}, \"iotRoleAlias\": \"GreengrassV2TestCoreTokenExchangeRoleAlias\"}" } }, "aws.greengrass.LogManager": { "componentVersion": "2.2.3", "configurationUpdate": { "merge": "{\"logsUploaderConfiguration\":{\"systemLogsConfiguration\": {\"uploadToCloudWatch\": \"true\",\"minimumLogLevel\": \"INFO\",\"diskSpaceLimit\": \"10\",\"diskSpaceLimitUnit\": \"MB\",\"deleteLogFileAfterCloudUpload\": \"false\"},\"componentLogsConfigurationMap\": {\"LedService\": {\"minimumLogLevel\": \"INFO\",\"diskSpaceLimit\": \"20\",\"diskSpaceLimitUnit\": \"MB\",\"deleteLogFileAfterCloudUpload\": \"false\"}}},\"periodicUploadIntervalSec\": \"5\"}" } } } ``` Java code for using AWS credentials ``` public class APIGatewayModule extends AbstractModule { @Provides @Singleton public AWSCredentialsProvider getAWSCredentialProvider() { return new DefaultAWSCredentialsProviderChain(); } @Provides @Singleton public ApiGatewayClient getApiGatewayClient(final AWSCredentialsProvider awsCredentialsProvider) { System.out.println("Getting client configurations"); final com.amazonaws.ClientConfiguration clientConfiguration = new com.amazonaws.ClientConfiguration(); System.out.println("Got client configurations" + clientConfiguration); return new ApiGatewayClient(clientConfiguration, Region.getRegion(Regions.fromName("us-east-1")), awsCredentialsProvider, AmazonHttpClient.builder().clientConfiguration(clientConfiguration).build()); } } ``` I have been following this doc: https://docs.aws.amazon.com/greengrass/v2/developerguide/device-service-role.html My question is regarding everywhere in this document, it is mentioned that "AWS IoT Core credentials provider", what credentials provider should we use? Also, as mentioned in this doc we should use --provision true when "When you run the AWS IoT Greengrass Core software, you can choose to provision the AWS resources that the core device requires." But we started without this flag, how can this be tackled and is there any other document that provides reference to using credentials provider and calling API Gateway from AWS SDK Java. On SSH to docker, i could find that the variable is set ``` AWS_CONTAINER_CREDENTIALS_FULL_URI=http://localhost:38135/2016-11-01/credentialprovider/ ``` But unable to curl from docker to this URL, is this how this is suppose to work?

Hi, After making a change to a component's config and then deploying this via GG V2 deployment, how can I trigger the component to restart automatically so it picks up the new configuration? Many thanks in advance

I am using IOT grengrass to deploy lamda function for my IOT core device - Raspberry Pi 3. I have completed all the necessary steps regarding the same. While starting Daemon from raspbery pi 3 and deploying from AWS greengrass console (using group V1), i am getting this below error, "Deployment 6cc8251b-f006-44f6-bebc-050da8d84bd7 of type NewDeployment for group 4fd1b5be-8b43-4734-a805-266d7482b81a failed error: process start failed: failed to run container sandbox: container_linux.go:380: starting container process caused: exec: "/lambda/greengrassSystemComponents": stat /lambda/greengrassSystemComponents: no such file or directory" I using AWS IOTfor first time, so not sure why this error is comimg. Please help me. Thanks

How close is AWS in supporting pkcs11 ECC Keys in GreenGrass ? We are using ATECC608B's from microchip with AWS-IoT and that is already supported if we use our own mosquitto broker on the device, But for GreenGrass V2 this won't work currently. I see some pull requests for pkcs11 keys (and an announcement [here](https://repost.aws/questions/QUbB6kk6KVTIOvpWwBYp9-Vw/announcement-aws-io-t-greengrass-v-2-now-supports-the-use-of-hardware-security-modules-hsm)) and some for ECC so I assume it is on the Roadmap ? Is this a correct assumption ? And if so, is there a timeline that we can get ?

According to the documentation Greengrass Nucleus should rotate logs every hour (https://docs.aws.amazon.com/greengrass/v2/developerguide/log-manager-component.html). So I suppose no matter of the log size I should see a new file every hour. So the maximum delay of logs uploaded with LogManager would be 1 hour. I see some "random" rotations however. My configuration of Nucleus is default. Example of my rotations: -rw-r--r-- 1 root root 31953 Jun 6 07:32 greengrass.log -rw-r--r-- 1 root root 212 May 30 22:40 greengrass_2022_05_30_22_0.log -rw-r--r-- 1 root root 212 Jun 2 12:12 greengrass_2022_06_02_12_0.log -rw-r--r-- 1 root root 736 Jun 2 14:21 greengrass_2022_06_02_14_0.log -rw-r--r-- 1 root root 126334 Jun 2 20:40 greengrass_2022_06_02_20_0.log -rw-r--r-- 1 root root 53873 Jun 3 12:30 greengrass_2022_06_03_12_0.log -rw-r--r-- 1 root root 467 Jun 3 17:54 greengrass_2022_06_03_17_0.log -rw-r--r-- 1 root root 13527 Jun 3 19:20 greengrass_2022_06_03_19_0.log -rw-r--r-- 1 root root 212 Jun 6 06:10 greengrass_2022_06_06_06_0.log Could you clarify the 1 hour rotation rule?

We just started implementing a dockerized greengrass v2 component, inspired by - https://github.com/awslabs/aws-greengrass-labs-local-web-server When we do "self._ipc_client: GreengrassCoreIPCClient = awsiot.greengrasscoreipc.connect()" we get the following error: ``` `"``14:07:51 - robot.system - INFO - Start Init IPC Traceback (most recent call last): File "/usr/local/bin/start-farm", line 8, in <module> sys.exit(main()) File "/usr/local/lib/python3.10/site-packages/command/farm.py", line 139, in main mqtt: IPC = IPC(config, logger) File "/usr/local/lib/python3.10/site-packages/common/ipc.py", line 75, in __init__ self._ipc_client: GreengrassCoreIPCClient = awsiot.greengrasscoreipc.connect() File "/usr/local/lib/python3.10/site-packages/awsiot/greengrasscoreipc/__init__.py", line 65, in connect connect_future = connection.connect(lifecycle_handler) File "/usr/local/lib/python3.10/site-packages/awsiot/eventstreamrpc.py", line 449, in connect raise e File "/usr/local/lib/python3.10/site-packages/awsiot/eventstreamrpc.py", line 437, in connect protocol.ClientConnection.connect( File "/usr/local/lib/python3.10/site-packages/awscrt/eventstream/rpc.py", line 305, in connect _awscrt.event_stream_rpc_client_connection_connect( RuntimeError: 44 (AWS_ERROR_FILE_INVALID_PATH): Invalid file path." ` ``` Any idea where this comes from? Thanks !!

I am trying to register a DeepLens v1.1. I have created a boot usb drive and did a Factory Reset. The device will still not register (either via the 1.1 or the 1.0) method. When I try the 1.0 method I get stuck with "**The security token included in the request is invalid**". Therefore I can't create roles or get certificates. I can log into the DeepLens just fine -- and apt and apt-get work fine -- I have followed all the reset instructions on the AWS site -- and there is very little info there or anywhere (all info on this site does not work or is not answered) Please Help !

Hello everyone, I'd like to use MQTT retained messages in the Greengrass component. Is it possible? The next [tutorial](https://docs.aws.amazon.com/iot/latest/developerguide/mqtt.html#mqtt-retain-using) says about retained messages. But there is nothing on how to set the retained flag in the documentation about IPC communication.

I have no need to upload all logfiles, of all Core Devices in a deployment group, all the time. I would just like to ask for logs of a specific Device if things go wrong. The documentation of [logmanager](https://docs.aws.amazon.com/greengrass/v2/developerguide/log-manager-component.html?icmpid=docs_gg_console) indicates that this is more of a permanent continuous logfile upload. Is there an existing way to 'trigger' a single upload of all/selected greengrass logs ? (using GG v2)

While running IDT for my gateway device, I got the following error for StreamManager component: ``` com.amazonaws.services.s3.model.AmazonS3Exception: Access Denied (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied; Request ID: XXXXXXXXXXXXXXX S3 Extended Request ID: XXXXXXXXXXXXXXX=; Proxy: null). {scriptName=services.aws.greengrass.StreamManager.lifecycle.startup.script, serviceName=aws.greengrass.StreamManager, currentState=RUNNING} ``` IDT script is creating the roles and s3 buckets on the fly. So its not east to debug via aws console. So I checked cloudtrail. But it seems data events (s3 upload) is not logged in cloudtrail. How can I investigate further ?

The component 'aws.greengrass.SecureTunneling' (v1.0.7) is not installing on an Ubuntu 18.04 device with Greengrass. What command/service does it use to determine the OS type ? Output of common os-checking commands: lsb_release -a ``` LSB Version: core-9.20170808ubuntu1-noarch:security-9.20170808ubuntu1-noarch Distributor ID: Ubuntu Description: Ubuntu 18.04.6 LTS Release: 18.04 Codename: bionic ``` arch ``` arch ``` hostnamectl ``` Icon name: computer Machine ID: a3d9197b765643568af09eb2bd3e5ce7 Boot ID: 485f9ca2cc4549d694968e332c58f415 Operating System: Ubuntu 18.04.6 LTS Kernel: Linux 4.9.253-tegra Architecture: arm64 ``` Logs: ``` redacted@terminal$ sudo tail -n 100 /greengrass/v2/logs/aws.greengrass.SecureTunneling.log 2022-05-31T15:49:53.220Z [INFO] (pool-2-thread-5665) aws.greengrass.SecureTunneling: shell-runner-start. {scriptName=services.aws.greengrass.SecureTunneling.lifecycle.run.script, serviceName=aws.greengrass.SecureTunneling, currentState=STARTING, command=["java -jar /greengrass/v2/packages/artifacts/aws.greengrass.SecureTunneling/1.0..."]} 2022-05-31T15:49:56.358Z [INFO] (Copier) aws.greengrass.SecureTunneling: stdout. [INFO ] 2022-05-31 16:49:56.348 [main] SecureTunneling - Starting secure tunneling component!. {scriptName=services.aws.greengrass.SecureTunneling.lifecycle.run.script, serviceName=aws.greengrass.SecureTunneling, currentState=RUNNING} 2022-05-31T15:49:56.408Z [INFO] (Copier) aws.greengrass.SecureTunneling: stdout. WARNING: sun.reflect.Reflection.getCallerClass is not supported. This will impact performance.. {scriptName=services.aws.greengrass.SecureTunneling.lifecycle.run.script, serviceName=aws.greengrass.SecureTunneling, currentState=RUNNING} 2022-05-31T15:49:56.450Z [INFO] (Copier) aws.greengrass.SecureTunneling: stdout. [ERROR] 2022-05-31 16:49:56.402 [main] SecureTunneling - Exception initializing secure tunneling task.. {scriptName=services.aws.greengrass.SecureTunneling.lifecycle.run.script, serviceName=aws.greengrass.SecureTunneling, currentState=RUNNING} 2022-05-31T15:49:56.451Z [INFO] (Copier) aws.greengrass.SecureTunneling: stdout. com.aws.greengrass.component.securetunneling.exceptions.SecureTunnelingTaskException: Unable to determine compatible OS distribution information! Supported OS distributions: [amzn2,ubuntu,raspberrypi]. {scriptName=services.aws.greengrass.SecureTunneling.lifecycle.run.script, serviceName=aws.greengrass.SecureTunneling, currentState=RUNNING} 2022-05-31T15:49:56.452Z [INFO] (Copier) aws.greengrass.SecureTunneling: stdout. at com.aws.greengrass.component.securetunneling.utils.PlatformResolver.getOSDistroInfoForArch(PlatformResolver.java:51) ~[GreengrassV2SecureTunnelingComponent-1.0-all.jar:?]. {scriptName=services.aws.greengrass.SecureTunneling.lifecycle.run.script, serviceName=aws.greengrass.SecureTunneling, currentState=RUNNING} 2022-05-31T15:49:56.452Z [INFO] (Copier) aws.greengrass.SecureTunneling: stdout. at com.aws.greengrass.component.securetunneling.SecureTunneling.extractExecutablePathFromArgs(SecureTunneling.java:66) ~[GreengrassV2SecureTunnelingComponent-1.0-all.jar:?]. {scriptName=services.aws.greengrass.SecureTunneling.lifecycle.run.script, serviceName=aws.greengrass.SecureTunneling, currentState=RUNNING} 2022-05-31T15:49:56.452Z [INFO] (Copier) aws.greengrass.SecureTunneling: stdout. at com.aws.greengrass.component.securetunneling.SecureTunneling.main(SecureTunneling.java:33) ~[GreengrassV2SecureTunnelingComponent-1.0-all.jar:?]. {scriptName=services.aws.greengrass.SecureTunneling.lifecycle.run.script, serviceName=aws.greengrass.SecureTunneling, currentState=RUNNING} 2022-05-31T15:49:56.509Z [INFO] (Copier) aws.greengrass.SecureTunneling: Run script exited. {exitCode=1, serviceName=aws.greengrass.SecureTunneling, currentState=RUNNING} 2022-05-31T15:49:56.515Z [INFO] (pool-2-thread-5659) aws.greengrass.SecureTunneling: shell-runner-start. {scriptName=services.aws.greengrass.SecureTunneling.lifecycle.run.script, serviceName=aws.greengrass.SecureTunneling, currentState=STARTING, command=["java -jar /greengrass/v2/packages/artifacts/aws.greengrass.SecureTunneling/1.0..."]} 2022-05-31T15:49:59.375Z [INFO] (Copier) aws.greengrass.SecureTunneling: stdout. [INFO ] 2022-05-31 16:49:59.368 [main] SecureTunneling - Starting secure tunneling component!. {scriptName=services.aws.greengrass.SecureTunneling.lifecycle.run.script, serviceName=aws.greengrass.SecureTunneling, currentState=RUNNING} 2022-05-31T15:49:59.425Z [INFO] (Copier) aws.greengrass.SecureTunneling: stdout. WARNING: sun.reflect.Reflection.getCallerClass is not supported. This will impact performance.. {scriptName=services.aws.greengrass.SecureTunneling.lifecycle.run.script, serviceName=aws.greengrass.SecureTunneling, currentState=RUNNING} 2022-05-31T15:49:59.472Z [INFO] (Copier) aws.greengrass.SecureTunneling: stdout. [ERROR] 2022-05-31 16:49:59.419 [main] SecureTunneling - Exception initializing secure tunneling task.. {scriptName=services.aws.greengrass.SecureTunneling.lifecycle.run.script, serviceName=aws.greengrass.SecureTunneling, currentState=RUNNING} 2022-05-31T15:49:59.472Z [INFO] (Copier) aws.greengrass.SecureTunneling: stdout. com.aws.greengrass.component.securetunneling.exceptions.SecureTunnelingTaskException: Unable to determine compatible OS distribution information! Supported OS distributions: [amzn2,ubuntu,raspberrypi]. {scriptName=services.aws.greengrass.SecureTunneling.lifecycle.run.script, serviceName=aws.greengrass.SecureTunneling, currentState=RUNNING} 2022-05-31T15:49:59.472Z [INFO] (Copier) aws.greengrass.SecureTunneling: stdout. at com.aws.greengrass.component.securetunneling.utils.PlatformResolver.getOSDistroInfoForArch(PlatformResolver.java:51) ~[GreengrassV2SecureTunnelingComponent-1.0-all.jar:?]. {scriptName=services.aws.greengrass.SecureTunneling.lifecycle.run.script, serviceName=aws.greengrass.SecureTunneling, currentState=RUNNING} 2022-05-31T15:49:59.473Z [INFO] (Copier) aws.greengrass.SecureTunneling: stdout. at com.aws.greengrass.component.securetunneling.SecureTunneling.extractExecutablePathFromArgs(SecureTunneling.java:66) ~[GreengrassV2SecureTunnelingComponent-1.0-all.jar:?]. {scriptName=services.aws.greengrass.SecureTunneling.lifecycle.run.script, serviceName=aws.greengrass.SecureTunneling, currentState=RUNNING} 2022-05-31T15:49:59.473Z [INFO] (Copier) aws.greengrass.SecureTunneling: stdout. at com.aws.greengrass.component.securetunneling.SecureTunneling.main(SecureTunneling.java:33) ~[GreengrassV2SecureTunnelingComponent-1.0-all.jar:?]. {scriptName=services.aws.greengrass.SecureTunneling.lifecycle.run.script, serviceName=aws.greengrass.SecureTunneling, currentState=RUNNING} 2022-05-31T15:49:59.508Z [INFO] (Copier) aws.greengrass.SecureTunneling: Run script exited. {exitCode=1, serviceName=aws.greengrass.SecureTunneling, currentState=RUNNING} ```

Hello, I am trying to connect Ignition Edge to my Greengrass V2 Core device (running in a VM) via MQTT. I did the steps explained on the Cloud discovery configuration, but I just cannot seem to get it to work properly. Is it possible to connect client devices to Greengrass Core without the use of the AWS SDK?

I see the following process on my GreenGrass device: `java -Dlog.store=FILE -Dlog.store=FILE -Droot=/greengrass/v2 -jar /greengrass/v2/alts/current/distro/lib/Greengrass.jar --setup-system-service false` is this the main greengrass service ? I'm asking because it seems to use a lot of memory and seems to be growing all the time causing the swap memory to grow. ``` jeteye@jeteye:/data/rt$ sudo smem --sort=swap -r PID User Command Swap USS PSS RSS 4525 root java -Dlog.store=FILE -Dlog 514860 353064 353386 354676 7067 ggc_user java -jar /greengrass/v2/pa 75560 2720 2986 3392 7957 root /usr/sbin/streamcontroller 57640 60192 61500 63172 6029 root /usr/bin/dockerd -H fd:// - 33704 21848 21848 21856 ``` and eventually ( over 2.5+ hours) the swap process (kswapd0) is starting to take so much processor time that other processes (that need to handle live video) don't get enough time and restart (this is a guess..still collecting more information). Is there a way to limit the amount of memory that GreenGrass uses over time ?

Hello, I have a couple of questions related to selecting the right tool for the job. There are three different technologies, which apparently all of them can handle device management: 1. AWS Systems Manager Agent component - the standard edition is limited to 1,000 devices (per account and per region). My understanding is that it would allow me to use the regular system manager capabilities, e.g., patching, automation, session manager (remote shell access), etc. 2. AWS IoT Device Management - there are some unique capabilities but similar to AWS Systems Manager it enables Device Jobs (that can be used to support software updates), Secure Tunneling (remote access), etc. 3. AWS Greengrass V2 Deployments (Create deployments) - appear to allow updating Greengrass software via jobs. I prefer to use just the tools I really need. Can you please advise what is the different between the three approach specifically for managing (patch/updates) Greengrass (V2) Core devices? is the 3rd option (AWS Greengrass V2 Deployments) sufficient for patch/updates in this particular use case? Thank you

I encountered the "new" status but I'm unsure what it means: [Screenshot here](https://imgur.com/a/z2QHYGl) As far as I can see the component is functioning normally and is in state RUNNING locally and has been installed for a long time, but in Greengrass cloud displayed a "new".

Hello, when I run greengrass-cli under a certain account, it works. When I do the same using a bash shell from a gg component having the **same** account context, it does not work. (Note I use sudo -u [account] -S for that) But I get this error... ``` Not able to find auth information in directory: /greengrass/v2/cli_ipc_info. Please run CLI as authorized user or group ``` the given directory does have a file named user-0 having a valid token! Thanks for any insights!

Hello, How can I ensure minimal impact on service availability (AWS IoT Greengrass Core Device) while deploying new/updated components? Is there a way to schedule these activities (e.g., maintenance windows)? The Greengrass device is not connect to any client-device, it is the actual device used by users and it may have severe impact on users if it goes down unexpectedly. Thank you, Yossi

Hello, The use case I have is this - There are two types of AWS IoT Greengrass V2 core devices that are implemented, which are connected (in the same private LAN network) in hub and spoke architecture. None of them are connected to client devices (Greengrass is being used because of its IPC and orchestration benefits): 1. [Spoke] AWS IoT Greengrass V2 core device is directly attached to a camera. The Video stream is sent to an Hub AWS IoT Greengrass V2 core device for ML processing (inference) that must be near-real time. 2. [Hub] AWS IoT Greengrass V2 core device that is processing and Fan-Out video streams: **A)** to ML inference interface (**local component of the hub**) **B)** to Kinesis Firehose (S3; to re-train the model) **C)** AWS Kinesis Video Stream (for human to view the video online) I have a couple of questions: 1. Is the architecture feasible? Make sense? 2. What is the best (performance and security wise) technology (open source, AWS component, protocol) to use in Spoke and Hub devices to send the video stream from the spokes to the hub (the video has to be high quality with minimal/no compression to keep the inference accuracy high)? 2. Can the Stream Manager component of AWS IoT Greengrass V2 core send (Hub) streams in fun-out mode (**e.g., to two different destinations concurrently, AWS Kinesis Firehose and AWS Kinesis Video Streams**)? Thank you, Yossi

Hello, I have a couple of questions about the [provisioning process](https://docs.aws.amazon.com/iot/latest/developerguide/provision-wo-cert.html) by either trusted user or provisioning claim: 1. If you do not want to put too much trust on the supplier, how would you provide it the ability to establish provisioning claim certificates so it can install them on the device during manufacturing? 2. If the device is delivered and then being reset to factory settings - how the device can be recovered if the provisioning claim certificate is expired/revoked? 3. If you choose to use the trusted-user approach, how would you connect to the device's local web server? More specifically how would you securely install TLS certificate for the device's local web server? 4. If the IoT device is Greengrass (V2) would it make more sense to use HSM Key (e.g., [USB A Yubico](https://www.yubico.com/il/works-with-yubikey/catalog/aws-iot-greengrass/)) just to support secure re-bootstrapping of the device (so it can load all the initial secrets/certificates/ssm-activation codes)?

Hi there, I am have this error ``` An error occurred (AccessDenied) when calling the ListObjects operation: Access Denied. {scriptName=services.media_camera.lifecycle.Run, serviceName=media_camera, currentState=RUNNING} ``` here is my toke-exchange-role ``` RealiteGGTokenAccessPolicy: Type: "AWS::IAM::ManagedPolicy" Properties: ManagedPolicyName: "realite-greengrassv2-token-exchange-access-policy" Description: "Allow gg device core to use AWS backend services" PolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Action: - iot:DescribeCertificate - logs:CreateLogGroup - logs:CreateLogStream - logs:PutLogEvents - logs:DescribeLogStreams - s3:GetBucketLocation - s3:PutObject - s3:GetObject - s3:ListBucket - s3:ListObjects - kinesis:PutRecords Resource: "*" - Effect: Allow Action: - secretsmanager:GetSecretValue Resource: - Fn::ImportValue: !Sub ${EnvironmentTag}:RealiteSecretsCameraCredentialsSecret Roles: - !Ref RealiteGGTokenAccessRole ``` I wonder where can that permission come from Thanks for your help

According to [this documentation](https://docs.aws.amazon.com/greengrass/v2/developerguide/component-recipe-reference.html), we can use variables, but it seems like only _"within lifecycle definitions in component recipes"_. Is there any undocumented way of using variables in the `accessControl` statements? Specifically I'm trying to add the following `accessControl` statements: ```yaml DefaultConfiguration: accessControl: aws.greengrass.ipc.mqttproxy: "{COMPONENT_NAME}:mqttproxy:1": policyDescription: Allows subscribing to command messages from aws-iot-core operations: - "aws.greengrass#SubscribeToIoTCore" resources: - "iot/cache/#" - "iot/gateways/{iot:thingName}/command/+" - "iot/gateways/{iot:thingName}/status/+" "{COMPONENT_NAME}:mqttproxy:2": policyDescription: Allows publishing update messages to aws-iot-core operations: - "aws.greengrass#PublishToIoTCore" resources: - "iot/things/+/message" ``` ... but I get `awsiot.greengrasscoreipc.model.UnauthorizedError` when subscribing to `iot/gateways/my-actual-core-name/command/+` and `iot/gateways/my-actual-core-name/status/+`. I have found through trial and error that the following resource statements allow me to do what I want, but they're somewhat "overly permissive": ```yaml resources: - "iot/cache/#" - "iot/gateways/+/command/+" - "iot/gateways/+/status/+" ``` Then I can actually subscribe to `iot/gateways/my-actual-core-name/command/+` and `iot/gateways/my-actual-core-name/status/+`. That's a little counter-intuitive to me because they're not explicitly the same topic pattern (I would expect to only be allowed to subscribe to `iot/gateways/+/command/+` exactly). It's an okay workaround for now, but I was hoping I could do better and prevent a given gateway from subscribing to `iot/gateways/arbitrary-words/command/+`

Use-case: Automatically build AWS Security groups by reporting the external-facing IP address of an edge device running AWS Greengrass V2. Is there an AWS provided component that does this ? I see that the IoT Device Defender Component posts some information regarding how many bytes over which ports. We are looking for a component that can report: - External facing IP - Bandwidth usage (or at least, bandwidth used by the Greengrass software) Does such a public component exist, or would it have to be a custom-built component ?

I've been using local deployments (`bin/greengrass-cli deployment create`) during development of my Component. I'm at the point where I'm happy with it and want to do a clean deploy to verify I have all the right settings before I start a publish/deploy/test cycle. I tried deleting the package manually on the machine, but that doesn't fix things. The main reason I want to do this is, during development, I was editing the recipe in the LocalDebugConsole webpage and it seems that now any updates to my source package recipe don't make it to the _effective_ config (at least through local deployments). Without deleting my container volume and starting over, is there a way to delete/reset/clear/clean these local deployments or otherwise get my recipe to use the source recipe instead of the locally edited one?

Hello, we are running our device with an A/B OS partition so upgrades can be rolled back. we will also have a data partition for everything that will need to be persisted inbetween upgrades. Is it possible to install greengrass to a 'data' partition and then have the greengrass service installed on both A and B partitions so it can pickup the same certificates, deployments no matter which of the 2 OS partitions is active ? do you have any advice on how we can keep the greengrass provisioning alive between upgrades ? is there a way to have the 'variable' part of /greengrass/v2/ split from the services ?

I'm currently trying to create a component in a tenant account using the artifact packaged in a central account S3 bucket. The tenant account and central account are in the same AWS Organization. I've tried the following settings to enable the tenant accounts to access the S3 bucket: 1. On the central account S3 bucket (I wasn't sure what Principal Service/User was trying to test this access, so I just "shotgunned" it): ``` { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "greengrass.amazonaws.com", "iot.amazonaws.com", "credentials.iot.amazonaws.com" ] }, "Action": [ "s3:GetObject", "s3:GetObjectVersion" ], "Resource": "arn:aws:s3:::MY-CENTRAL-ACCOUNT-BUCKET/*" }, { "Effect": "Allow", "Principal": { "AWS": "*" }, "Action": [ "s3:GetObject", "s3:GetObjectVersion", "s3:GetObjectTorrent", "s3:GetObjectVersionAcl", "s3:GetObjectAcl" ], "Resource": "arn:aws:s3:::MY-CENTRAL-ACCOUNT-BUCKET/*", "Condition": { "StringEquals": { "aws:PrincipalOrgID": "o-abc123def456" } } }, ... ] } ``` 2. On the `GreengrassV2TokenExchangeRole` in the tenant account, I've added the `AmazonS3FullAccess` AWS Managed policy (just to see if I could eliminate this Role as the blocker) I've verified that, as a User in the tenant account, I have access to the object in S3 and can do `aws s3 cp` as a tenant User (so the bucket policy doesn't seem to be blocking things). Whenever I try creating the Component in the tenant account, I'm met with: ``` Invalid Input: Encountered following errors in Artifacts: {s3://MY-CENTRAL-ACCOUNT-BUCKET/com.example.my-component-name/1.0.0-dev.0/application.zip = Specified artifact resource cannot be accessed} ``` ... using either the AWS IoT Greengrass Console and the AWS CLI. What am I missing? Is there a different service-linked role, I should be allowing in the S3 Bucket Resource Policy? It just seems like an access-test during Component creation and not an actual attempt to access the resource. I'm fairly certain if I assumed the Greengrass-TES role, I'd be able to download the artifact too (although I haven't explicitly done that yet).

**Gentlefolks, why is the the token exchange service (TES) failing to fetch credentials?** I have greengrass installed on Ubuntu 20.x.x running on a virtual machine. At the end of the numbered items is an error log (truncated) obtained from `/greengrass/v2/logs/greengrass.log`. Thank you What I've done or what I think you should know: 1. There exist `GreenGrassServiceRole` which contains `AWSGreengrassResourceAccessRolePolicy`, and every other policy containing the word "greengrass" in its name. It also has a trust relationship as below. This was created when I installed Greengrass, but I added additional policies. ``` { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "greengrass.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "aws:SourceAccount": "<MY_ACCOUNT_NUMBER>" }, "ArnLike": { "aws:SourceArn": "<ARN_THAT_SHOWS_MY_REGION_AND_ACC_NUMBER>:*" } } }, { "Effect": "Allow", "Principal": { "Service": "credentials.iot.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } ``` 2. `aws.greengrass.Nucleus` component is deployed with the following configuration update. The alias also exists. ``` { "reset": [], "merge": { "ComponentConfiguration": { "DefaultConfiguration": { "iotRoleAlias": "GreengrassV2TokenExchangeRoleAlias", "awsRegion": "us-east-1", "iotCredEndpoint": "https://sts.us-east-1.amazonaws.com", "iotDataEndpoint": "<ENDPOINT_OBTAINED_FROM_IOT_CORE_SETTINGS>" } } } } ``` 3. `aws.greengrass.TokenExchangeService` is deployed. 4. There's a custom component that uses the Greengrass SDK to publish to IoT Core. It has the following configuration update. ``` { "reset": [], "merge": { "ComponentDependencies": { "aws.greengrass.TokenExchangeService": { "VersionRequirement": "^2.0.0", "DependencyType": "HARD" } } } } ``` 5. There is an IoT policy from a previous exercise which attached to the core device (Ubuntu on virtual machine) certificate. It allows **all** actions. There's also another `GreengrassTESCertificatePolicyGreengrassV2TokenExchangeRoleAlias` which is associated with the thing's certificate. The policy allows `iot:AssumeRoleWithCertificate` **ERROR LOG BELOW** ``` 2022-05-21T21:07:39.592Z [ERROR] (pool-2-thread-28) com.aws.greengrass.tes.CredentialRequestHandler: Error in retrieving AwsCredentials from TES. {iotCredentialsPath=/role-aliases/GreengrassV2TokenExchangeRoleAlias/credentials, credentialData=Failed to get connection} 2022-05-21T21:08:38.071Z [WARN] (pool-2-thread-28) com.aws.greengrass.tes.CredentialRequestHandler: Encountered error while fetching credentials. {iotCredentialsPath=/role-aliases/GreengrassV2TokenExchangeRoleAlias/credentials} com.aws.greengrass.deployment.exceptions.AWSIotException: Unable to get response at com.aws.greengrass.iot.IotCloudHelper.getHttpResponse(IotCloudHelper.java:95) at com.aws.greengrass.iot.IotCloudHelper.lambda$sendHttpRequest$1(IotCloudHelper.java:80) at com.aws.greengrass.util.BaseRetryableAccessor.retry(BaseRetryableAccessor.java:32) at com.aws.greengrass.iot.IotCloudHelper.sendHttpRequest(IotCloudHelper.java:81) at com.aws.greengrass.tes.CredentialRequestHandler.getCredentialsBypassCache(CredentialRequestHandler.java:207) at com.aws.greengrass.tes.CredentialRequestHandler.getCredentials(CredentialRequestHandler.java:328) at com.aws.greengrass.tes.CredentialRequestHandler.getAwsCredentials(CredentialRequestHandler.java:337) at com.aws.greengrass.tes.LazyCredentialProvider.resolveCredentials(LazyCredentialProvider.java:24) at software.amazon.awssdk.awscore.internal.AwsExecutionContextBuilder.resolveCredentials(AwsExecutionContextBuilder.java:165) at software.amazon.awssdk.awscore.internal.AwsExecutionContextBuilder.invokeInterceptorsAndCreateExecutionContext(AwsExecutionContextBuilder.java:102) at software.amazon.awssdk.awscore.client.handler.AwsSyncClientHandler.invokeInterceptorsAndCreateExecutionContext(AwsSyncClientHandler.java:69) at software.amazon.awssdk.core.internal.handler.BaseSyncClientHandler.lambda$execute$1(BaseSyncClientHandler.java:78) at software.amazon.awssdk.core.internal.handler.BaseSyncClientHandler.measureApiCallSuccess(BaseSyncClientHandler.java:175) at software.amazon.awssdk.core.internal.handler.BaseSyncClientHandler.execute(BaseSyncClientHandler.java:76) at software.amazon.awssdk.core.client.handler.SdkSyncClientHandler.execute(SdkSyncClientHandler.java:45) at software.amazon.awssdk.awscore.client.handler.AwsSyncClientHandler.execute(AwsSyncClientHandler.java:56) at software.amazon.awssdk.services.s3.DefaultS3Client.getBucketLocation(DefaultS3Client.java:3382) at com.aws.greengrass.componentmanager.builtins.S3Downloader.lambda$getRegionClientForBucket$2(S3Downloader.java:134) at com.aws.greengrass.util.RetryUtils.runWithRetry(RetryUtils.java:50) at com.aws.greengrass.componentmanager.builtins.S3Downloader.getRegionClientForBucket(S3Downloader.java:133) at com.aws.greengrass.componentmanager.builtins.S3Downloader.getDownloadSize(S3Downloader.java:115) at com.aws.greengrass.componentmanager.ComponentManager.prepareArtifacts(ComponentManager.java:420) at com.aws.greengrass.componentmanager.ComponentManager.preparePackage(ComponentManager.java:377) at com.aws.greengrass.componentmanager.ComponentManager.lambda$preparePackages$1(ComponentManager.java:338) at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) at java.base/java.lang.Thread.run(Thread.java:829) Caused by: java.net.UnknownHostException: https at java.base/java.net.InetAddress$CachedAddresses.get(InetAddress.java:797) at java.base/java.net.InetAddress.getAllByName0(InetAddress.java:1509) at java.base/java.net.InetAddress.getAllByName(InetAddress.java:1368) at java.base/java.net.InetAddress.getAllByName(InetAddress.java:1302) at org.apache.http.impl.conn.SystemDefaultDnsResolver.resolve(SystemDefaultDnsResolver.java:45) at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:112) at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:376) at jdk.internal.reflect.GeneratedMethodAccessor51.invoke(Unknown Source) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:566) at software.amazon.awssdk.http.apache.internal.conn.ClientConnectionManagerFactory$Handler.invoke(ClientConnectionManagerFactory.java:80) at com.sun.proxy.$Proxy15.connect(Unknown Source) at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:393) at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236) at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:186) at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56) at software.amazon.awssdk.http.apache.internal.impl.ApacheSdkHttpClient.execute(ApacheSdkHttpClient.java:72) at software.amazon.awssdk.http.apache.ApacheHttpClient.execute(ApacheHttpClient.java:253) at software.amazon.awssdk.http.apache.ApacheHttpClient.access$500(ApacheHttpClient.java:106) at software.amazon.awssdk.http.apache.ApacheHttpClient$1.call(ApacheHttpClient.java:232) at com.aws.greengrass.iot.IotCloudHelper.getHttpResponse(IotCloudHelper.java:88) ... 27 more 2022-05-21T21:08:38.073Z [ERROR] (pool-2-thread-28) com.aws.greengrass.tes.CredentialRequestHandler: Error in retrieving AwsCredentials from TES. {iotCredentialsPath=/role-aliases/GreengrassV2TokenExchangeRoleAlias/credentials, credentialData=Failed to get connection} ```

Dear AWS, We need to create greengrass deployments and are using following cli command https://awscli.amazonaws.com/v2/documentation/api/latest/reference/greengrassv2/create-deployment.html. It looks like this option is missing from the command, could you please add it if it's indeed missing or advise on how to add it? Thank you in advance. With best regards

We have multiple greengrass core devices that each have their own deploment. In each deployment, the 'aws.greengrass.telemetry.NucleusEmitter' is configured as follows: { "reset": [], "merge": { "pubSubPublish": "false", "mqttTopic": "<IOT-THING-NAME>", "telemetryPublishIntervalMs": <interval> } } . This allows us to distinguish between the different MQTT messages returned by the edge devices as they each arrive on a different topic. If we were to place all gg cores under the same deployment, is there a way of distinguishing between the messages that will be published on that topic ? Our requirement is to identify individual gg core devices that have memory/component issues, using the 'aws.greengrass.telemetry.NucleusEmitter' component, while having all devices under one deployment.

Environment : **GreenGrassV2**, Deployed on : **Raspberry Pi Version 3** , Operating system :** Raspbian GNU/Linux 10** We want to start and stop raspberry pi operating system's service from lambda function. Lambda function is deployed under green grass container. Service can be start and stop without sudo / root privileges. We have configured polkit service to start/stop service without sudo. To start and stop service we tried with "exec" , "spawn" and "spawnSync" but we are getting error as under ``` {"err":{"killed":false, "code":1,"signal":null,"cmd":"systemctl stop wpa_supplicant@wlan0.service"}} ``` We also tried to execute command using .sh file but that also giving above error. Purpose to start/stop service is, we want to change Raspberry pi AP mode to station mode and vise versa.

I have an OPC server that has nodes with arrays as values. For example I have a node called "Temperatures" which has values [33, 29, 30, 19] in the array. **Is it possible to set single items of this array as properties into SiteWise assets with aliases** like */Temperatures/1*, */Temperatures/2*, */Temperatures/3*, etc.?

I have a Greengrass Lambda component subscribed to the `aws.greengrass.SNS` output topic `sns/message/status` using the `aws.greengrass.LegacySubscriptionRouter` component with the following configuration: ``` { "subscriptions": { "GreengrassSnsOutput": { "id": "GreengrassSnsOutput", "source": "component:aws.greengrass.SNS", "subject": "sns/message/status", "target": f"component:MyComponentName", } } } ``` That works as expected, but if I update the Lambda corresponding to `MyComponentName`, I get the following error message in the main Greengrass log file: ``` com.aws.greengrass.lambdamanager.LambdaNotFoundException: Lambda arn:aws:lambda:region:account:function:my-function-name:# does not exist ``` The [developer guide](https://docs.aws.amazon.com/greengrass/v2/developerguide/legacy-subscription-router-component.html#legacy-subscription-router-component-configuration) suggests that v2.1.0... >Adds support to specify component names instead of ARNs for source and target. If you specify a component name for a subscription, you don't need to reconfigure the subscription each time the version of the Lambda function changes. I took that to mean nothing needs to happen with respect to the subscription after a new component version with the same name but a new Lambda ARN is deployed. Is that right or is there something else that needs to be done? I'm using the following component versions: ``` "aws.greengrass.LegacySubscriptionRouter": { "componentVersion": "2.1.4" }, "aws.greengrass.Nucleus": { "componentVersion": "2.5.5" }, "aws.greengrass.SNS": { "componentVersion": "2.1.0" }, ```

I'm trying to create a Greengrass Lambda function that publishes to an IPC topic using the the IoT SDK. My Lambda code includes: ``` from awsiot import greengrasscoreipc # type: ignore from awsiot.greengrasscoreipc.model import ( # type: ignore JsonMessage, PublishMessage, PublishToTopicRequest, ) ipc_client = greengrasscoreipc.connect() ``` This leads to the following import error: ``` FATAL: lambda_runtime.py:426,Failed to initialize Lambda runtime due to exception: No module named '_awscrt'. ``` I can see that the Lambda artifact includes both `awscrt` and `awsiot` in `/greengrass/v2/packages/artifacts-unarchived/componentName/version/lambda-artifact/`, so I'm not sure why the import is failing. I'm using a non-pinned Python 3.8 Lambda in NoContainer mode with LambdaManager v2.2.3, LambdaLauncher v2.0.10, and LambdaRuntimes v2.0.8 I have been able to use `awsiot` to publish to IPC topics in a non-Lambda component. That component runs a `pip install -r requirements.txt` command to install `awsiotsdk` to the site-packages for `ggc_user` during the install lifecycle, whereas the Lambda component is delivered to the device with its package dependencies included. Any ideas what I need to do differently? I haven't seen this problem yet with other Lambdas that have different dependencies.

Are there plans to support ECC keys in IoT Greengrass V2 - So that security devices like the ATECC608A/B etc can be used to secure keys for Greengrass communications between devices and AWS cloud ? I believe that Greengrass V1 did support this, but support seems to have disappeared it doesn't seem to possible with the current V2 version. Is support for these devices dropped or is there a plan or roadmap for support ? https://devices.amazonaws.com/detail/a3G0L00000AAOCcUAP/ATECC608a-CryptoAuthentication-Secure-Element

I would like to be able to perform local testing of my greengrass components before deployment. The issue is that my components normally use Greengrass IPC, meaning that I cannot perform local testing, as IPC messages cannot be sent/received as the local component test won't be happening in Greengrass. Is there a way to get around this ? Is there a method to mimic/test Greengrass IPC calls in a program, outside of a Greengrass deployment ?

At current, my Greengrass core device (v2.5.5), is on my rasp 3b+ running normally with manual deployment from local/cloud. However, the IDT (version 4.5.3 with suite=GGV2Q_2.3.1) execution passed for 3/6 test cases as below only: ========== Test Summary ========== * Execution Time: 1m51s * Tests Completed: 6 * Tests Passed: 3 * Tests Failed: 3 * Tests Skipped: 0 ---------------------------------- Test Groups: * pretestvalidation: PASSED * version: PASSED * coredependencies: PASSED * mqtt: FAILED * component: FAILED ---------------------------------- Failed Tests: * Group Name: mqtt Test Name: mqttpubsub; Reason: Failed at 'my device is running Greengrass * Group Name: component Test Name: cloudcomponent; Reason: Failed at 'my device is running Greengrass' Test Name: localcomponent; Reason: Failed at 'my device is running Greengrass' ---------------------------------- **Is there further detail/meaningful info from these error log/code?** **I have tried to look into the log folder but nothing else there.** **I have attached all failed logs as below:** # localcomponent: - time="22:48:06+07:00" level=info msg=22:48:06.237 [localdeployment] [INFO] com.aws.greengrass.testing.features.LoggerSteps - Attaching thread context to scenario: 'A component is deployed locally using CLI' - time="22:48:06+07:00" level=info msg=22:48:06.238 [localdeployment] [INFO] greengrass/features/localdeployment.feature - line 4: 'my device is registered as a Thing' - time="22:48:08+07:00" level=info msg=22:48:08.085 [localdeployment] [INFO] com.aws.greengrass.testing.resources.AbstractAWSResourceLifecycle - Created IotPolicy in IotLifecycle - time="22:48:09+07:00" level=info msg=22:48:09.615 [localdeployment] [INFO] com.aws.greengrass.testing.resources.AbstractAWSResourceLifecycle - Created IamPolicy in IamLifecycle - time="22:48:10+07:00" level=info msg=22:48:10.194 [localdeployment] [INFO] com.aws.greengrass.testing.resources.AbstractAWSResourceLifecycle - Created IamRole in IamLifecycle - time="22:48:10+07:00" level=info msg=22:48:10.639 [localdeployment] [INFO] com.aws.greengrass.testing.resources.AbstractAWSResourceLifecycle - Created IotRoleAlias in IotLifecycle - time="22:48:10+07:00" level=info msg=22:48:10.837 [localdeployment] [INFO] com.aws.greengrass.testing.resources.AbstractAWSResourceLifecycle - Created IotPolicy in IotLifecycle - time="22:48:11+07:00" level=info msg=22:48:11.040 [localdeployment] [INFO] com.aws.greengrass.testing.resources.AbstractAWSResourceLifecycle - Created IotThingGroup in IotLifecycle - time="22:48:12+07:00" level=info msg=22:48:12.066 [localdeployment] [INFO] com.aws.greengrass.testing.resources.AbstractAWSResourceLifecycle - Created IotCertificate in IotLifecycle - time="22:48:12+07:00" level=info msg=22:48:12.466 [localdeployment] [INFO] com.aws.greengrass.testing.resources.AbstractAWSResourceLifecycle - Created IotThing in IotLifecycle - time="22:48:14+07:00" level=info msg=22:48:14.966 [localdeployment] [INFO] greengrass/features/localdeployment.feature - line 5: 'my device is running Greengrass' - time="22:48:14+07:00" level=info msg=22:48:14.976 [localdeployment] [ERROR] greengrass/features/localdeployment.feature - Failed at step: 'my device is running Greengrass' - time="22:48:14+07:00" level=info msg=com.google.inject.ConfigurationException: Guice configuration errors: - time="22:48:14+07:00" level=info msg=1) [Guice/ErrorInUserCode]: Unable to method intercept: GreengrassSteps - time="22:48:14+07:00" level=info msg= while locating GreengrassSteps - time="22:48:14+07:00" level=info msg=22:48:14.990 [localdeployment] [INFO] greengrass/features/localdeployment.feature - line 9: 'I create a Greengrass deployment with components' - time="22:48:14+07:00" level=info msg=22:48:14.990 [localdeployment] [INFO] greengrass/features/localdeployment.feature - line 11: 'I deploy the Greengrass deployment configuration' - time="22:48:14+07:00" level=info msg=22:48:14.991 [localdeployment] [INFO] greengrass/features/localdeployment.feature - line 12: 'the Greengrass deployment is COMPLETED on the device after 180 seconds' - time="22:48:14+07:00" level=info msg=22:48:14.991 [localdeployment] [INFO] greengrass/features/localdeployment.feature - line 13: 'I verify greengrass-cli is available in greengrass root' - time="22:48:14+07:00" level=info msg=22:48:14.991 [localdeployment] [INFO] greengrass/features/localdeployment.feature - line 14: 'I create a local deployment with components' - time="22:48:14+07:00" level=info msg=22:48:14.991 [localdeployment] [INFO] greengrass/features/localdeployment.feature - line 16: 'the local Greengrass deployment is SUCCEEDED on the device after 120 seconds' - time="22:48:14+07:00" level=info msg=22:48:14.991 [localdeployment] [INFO] greengrass/features/localdeployment.feature - line 17: 'the aws.greengrass.LocalHelloWorld log on the device contains the line "Hello World!!" within 20 seconds' - time="22:48:16+07:00" level=info msg=22:48:16.569 [localdeployment] [INFO] com.aws.greengrass.testing.features.LoggerSteps - Clearing thread context on scenario: 'A component is deployed locally using CLI' - time="22:48:16+07:00" level=info msg=22:48:16.577 [localdeployment] [ERROR] com.aws.greengrass.testing.launcher.reporting.StepTrackingReporting - Failed: 'A component is deployed locally using CLI': Failed at 'my device is running Greengrass' - time="22:48:16+07:00" level=info msg=22:48:16.584 [] [] [INFO] com.aws.greengrass.testing.modules.AWSResourcesCleanupModule - Cleaned up com.aws.greengrass.testing.resources.iam.IamLifecycle$$EnhancerByGuice$$10441879@e128dc2 - time="22:48:23+07:00" level=error msg=Test exited unsuccessfully error=exit status # cloudcomponent: - 2022-May-04 15:37:28,499 [cloudComponent] [idt-b47156801aee3f29c860] [INFO] greengrass/features/cloudComponent.feature - line 9: 'I create a Greengrass deployment with components' - 2022-May-04 15:37:28,499 [cloudComponent] [idt-b47156801aee3f29c860] [INFO] greengrass/features/cloudComponent.feature - line 11: 'I deploy the Greengrass deployment configuration' - 2022-May-04 15:37:28,500 [cloudComponent] [idt-b47156801aee3f29c860] [INFO] greengrass/features/cloudComponent.feature - line 12: 'the Greengrass deployment is COMPLETED on the device after 180 seconds' - 2022-May-04 15:37:28,500 [cloudComponent] [idt-b47156801aee3f29c860] [INFO] greengrass/features/cloudComponent.feature - line 13: 'the com.aws.HelloWorld log on the device contains the line "Hello World!!" within 20 seconds' - 2022-May-04 15:37:28,500 [cloudComponent] [idt-b47156801aee3f29c860] [INFO] greengrass/features/cloudComponent.feature - line 15: 'I create a Greengrass deployment with components' - 2022-May-04 15:37:28,500 [cloudComponent] [idt-b47156801aee3f29c860] [INFO] greengrass/features/cloudComponent.feature - line 17: 'I deploy the Greengrass deployment configuration' - 2022-May-04 15:37:28,500 [cloudComponent] [idt-b47156801aee3f29c860] [INFO] greengrass/features/cloudComponent.feature - line 18: 'the Greengrass deployment is COMPLETED on the device after 180 seconds' - 2022-May-04 15:37:28,500 [cloudComponent] [idt-b47156801aee3f29c860] [INFO] greengrass/features/cloudComponent.feature - line 19: 'the com.aws.HelloWorld log on the device contains the line "Hello World Updated!!" within 20 seconds' - 2022-May-04 15:37:31,557 [cloudComponent] [idt-b47156801aee3f29c860] [INFO] com.aws.greengrass.testing.features.LoggerSteps - Clearing thread context on scenario: 'As a developer, I can create a component in Cloud and deploy it on my device' - 2022-May-04 15:37:31,558 [cloudComponent] [idt-b47156801aee3f29c860] [ERROR] com.aws.greengrass.testing.launcher.reporting.StepTrackingReporting - Failed: 'As a developer, I can create a component in Cloud and deploy it on my device': Failed at 'my device is running Greengrass' # mqttpubsub: - 2022-May-04 15:36:55,929 [mqtt] [idt-614fb227a4f0913ba4be] [INFO] greengrass/features/mqtt.feature - line 9: 'I create a Greengrass deployment with components' - 2022-May-04 15:36:55,931 [mqtt] [idt-614fb227a4f0913ba4be] [INFO] greengrass/features/mqtt.feature - line 12: 'I deploy the Greengrass deployment configuration' - 2022-May-04 15:36:55,931 [mqtt] [idt-614fb227a4f0913ba4be] [INFO] greengrass/features/mqtt.feature - line 13: 'the Greengrass deployment is COMPLETED on the device after 180 seconds' - 2022-May-04 15:36:55,931 [mqtt] [idt-614fb227a4f0913ba4be] [INFO] greengrass/features/mqtt.feature - line 14: 'the aws.greengrass.IotMqttSubscriber log on the device contains the line "Subscribed to IoT topic idt/Mqtt/Test with QOS=AT_LEAST_ONCE" within 20 seconds' - 2022-May-04 15:36:55,931 [mqtt] [idt-614fb227a4f0913ba4be] [INFO] greengrass/features/mqtt.feature - line 15: 'the aws.greengrass.IotMqttPublisher log on the device contains the line "Published to IoT topic idt/Mqtt/Test with payload test message and qos AT_LEAST_ONCE" within 10 seconds' - 2022-May-04 15:36:58,922 [mqtt] [idt-614fb227a4f0913ba4be] [INFO] com.aws.greengrass.testing.features.LoggerSteps - Clearing thread context on scenario: 'Component publishes MQTT message to Iot core and retrieves it as well' - 2022-May-04 15:36:58,924 [mqtt] [idt-614fb227a4f0913ba4be] [ERROR] com.aws.greengrass.testing.launcher.reporting.StepTrackingReporting - Failed: 'Component publishes MQTT message to Iot core and retrieves it as well': Failed at 'my device is running Greengrass' - 2022-May-04 15:36:58,930 [] [] [INFO] com.aws.greengrass.testing.modules.AWSResourcesCleanupModule - Cleaned up com.aws.greengrass.testing.resources.s3.S3Lifecycle$$EnhancerByGuice$$11137706@7e3ca22c

I am setting own mqtt broker using aws workshop: https://catalog.us-east-1.prod.workshops.aws/workshops/5ecc2416-f956-4273-b729-d0d30556013f/en-US/chapter6-mqtt-broker/10-step1 In startup.sh script execution step getting errors: 1. not authorized to perform: iot:CreatePolicy 2. not authorized to perform: iot:CreateKeysAndCertificate User account having all below access permissions: IAMFullAccess AmazonS3FullAccess AWSIoTFullAccess AWSGreengrassFullAccess GreengrassV2TokenExchangeRoleAcess AdministratorAccess I am trying to resolve this couple of days, but not yet succeeded . It very urgent need resolve for current project

Hi All, my greengrass component needs to do additional health checks and decide to restart another component based on output. However, it does not do anything, even not an error message. What's going wrong here? I thought that gcc_user context is sufficient? When manually ran, it works. sudo /greengrass/v2/bin/greengrass-cli component restart -n com.MyComponent When ran from within an existing running GG component, no error, but also no effect?? <--- please advise /greengrass/v2/bin/greengrass-cli component restart -n com.MyComponent

We installed Greengrass v2 on several EC2s that simulate edge devices. We subscribed to telemetry data from them as explained in the docs: https://docs.aws.amazon.com/greengrass/v2/developerguide/telemetry.html. We defined a very general rule on eventBridge using the default event bus and the following event pattern : { "source": ["aws.greengrass"] } We forwarded the events to a CloudWatch log group. However, we received almost no data. We notice that every time we restart the ec2, the first MQTT message is always received, but then, after a while (2-4 days), we didn't receive the messages anymore (even if we didn't change anything in the ec2 or in the Greengrass components). In the docs, it says that the telemetry agent tries to send an MQTT message every day with QOS 0, so some misses could be expected. But since we are using EC2, we assume to have an internet connection almost all the time and we expect to receive more telemetry messages. Why is this not happening? We received the expected messages only for 2/4 days. For instance, for the core device GGv2-CoreDevice, we received telemetry data on 2022-04-21 and 2022-04-22 and we didn't receive any message on the following days. Should we expect worse performance when we will use on-premise edges? IoT Greengrass Core software version: 2.5.5

I already created post yesterday but I believe it is not visible hence asking again. We are on track to upgarde to GG V2 but before that we need to document the below cause. Your help will be highly appreciated. Have faced the following 3 issues in the past few weeks -->> My colleague stated that his deployment fails with error stating “Group definition is not valid”? I couldn't find anything in the GG troubleshooting document about the error. -->> I updated my group definition and added Lambdas to it but I don’t see that reflected on the device. Do the changes take place upon rebooting device ? is the deployment failed ? or the change made on cloud but never made to the device. -->> In the beginning I couldn't find error logs in my Green grass local machine, neither CloudWatch Thanks Community, looking forward to exploring GG. Joan.

Currently I am unable to publish data with custom own Mqtt broker to aws iot core. Whereas I am able to publish data to open MQTT server i.e broker.emqx.io. Is there any configuration need to be provide like, certification of AWS? Or access id and secrete key is enough?

When an IoT message is sent, via IPC channel (MQTT proxy), but greengrass is not connected to the internet, are the messages discarded? ``` accessControl: aws.greengrass.ipc.mqttproxy: com.savic.Telemetry:pub:0: policyDescription: Allows access to publish to telemetry topic operations: - aws.greengrass#PublishToIoTCore resources: - device/dev/telemetry/events - device/prod/telemetry/events ``` ``` try: op = ipc_client.new_publish_to_iot_core() op.activate(model.PublishToIoTCoreRequest( topic_name=TELEMETRY_TOPIC, qos=model.QOS.AT_LEAST_ONCE, payload=json.dumps(message).encode(), )) try: op.get_response().result(timeout=TIMEOUT) except: pass ``` Does GG keep them, then send them later, when there is connectivity, or is this something we have to handle in our component?

I am using IDT v4.5.3 with test suite GGV2Q_2.3.1 with Greengrass nucleus v2.5.5. When running the lambdadeployment test I am getting the following error, "Test failed with error: failed to validate lambda publish: timed out". Any suggestions for debugging this issue?

Have faced the following 3 issues in the past few weeks -->> My colleague stated that his deployment fails with error stating “Group definition is not valid”? I couldn't find anything in the GG troubleshooting document about the error. -->> I updated my group definition and added Lambdas to it but I don’t see that reflected on the device. Do the changes take place upon rebooting device ? is the deployment failed ? or the change made on cloud but never made to the device. -->> In the beginning I couldn't find error logs in my Green grass local machine, neither CloudWatch Thanks Community, looking forward to exploring GG. Joan.

I have a top-level component that I call `com.mycompany.Dependencies`. This component houses our in-house SDK built in Python. Our GG components that are built in Python, use that as a dependency, as defined below: ``` ComponentDependencies: com.mycompany.Dependencies: VersionRequirement: "1.0.25" DependencyType: HARD ``` We have about 3 components that are currently using the `com.mycompany.Dependencies` as a dependency. When we update the Dependencies lib (i.e. add new features to the core SDK lib, we naturally `build` and `publish`, which will create an incremental version. i.e. `1.0.26`. Is there a way that, when the new Dependencies version has been published, for all of the components to automatically download the new lib, such that we don't have to increment the `VersionRequirement` every time there is a new version? so, it would be something along the lines of (note `latest`): ``` ComponentDependencies: com.mycompany.Dependencies: VersionRequirement: "latest" DependencyType: HARD ``` I have tried with `latest` but I don't think it worked. This way, the GG runtime would pick up that there is a `latest` version of `Dependencies` and pull it onto the device, install it, and restart the components. Is this the right way to do it? What would you suggest if this is not possible, or an alternative way?

I am attempting to update a thing shadow when a deployment completes with the components & versions that are installed on the device. The way it's set up now is: 1. An IoT rule that subscribes to `SELECT * FROM '$aws/events/jobExecution/+/succeeded'` and sends the message to a Lambda 2. The Lambda takes the event, calls the `listInstalledComponents` api from the Greengrass sdk, then calls the `updateThingShadow` with the components. However when the Lambda runs, the installed components that get updated in the shadow are not updated with the latest components. It's almost like the Lambda is run before the component listing is updated. I can see that the component listing in the AWS console updated as soon as the deployment is finished. I'm wondering if there's a better topic to watch, or if there's some other way to do what I need. Any guidance would be appreciated.

I have a few greengrass (docker) components that listen to IPC local topics. I now want to test to see if they are actually responding to messages on the local topics so i've written a `greengrass_pub` application (similar to `mosquitto_pub`) so i can call: `greengrass_pub --topic "local/topic" --payload "{ \"do_some\" : \"stuff\" } " ` to check if the other components pick this up. I have also installed this greengrass_pub application in the docker image, so i should be able to start up another docker image. Can i startup a docker image to run under the greengrass credentials so I have access to IPC in an interactive way **AND** have a command prompt where I can try different calls ? How could I start this up ? ( like a docker interactive (-it) session ? ) note: this is only for development as a tool to check.(i have the greengrass cli installed)

everybody, my system uses **cgroup2**. Greengrass only use **CGroup**. What should I do to make Greengrass run on my system? In other words, Greengrass only supports CGroup, not cgroup2? **My raspberry4B version:** ``` pi@raspberrypi:/greengrass/ggc $ uname -a Linux raspberrypi 5.10.92-v8+ #1514 SMP PREEMPT Mon Jan 17 17:39:38 GMT 2022 aarch64 GNU/Linux ``` **My cgroup like this:** ``` pi@raspberrypi:/greengrass/ggc $ mount | grep cgroup cgroup2 on /sys/fs/cgroup type cgroup2 (rw,nosuid,nodev,noexec,relatime,nsdelegate,memory_recursiveprot) ``` **greeengrass error starting:** ``` pi@raspberrypi:/greengrass/ggc/core $ sudo ./greengrassd start Waiting Stopped greengrass daemon, exiting with success Setting up greengrass daemon Validating hardlink/softlink protection Waiting for up to 1m10s for Daemon to start Greengrass daemon running with PID: 1191. Some system components failed to start. Check 'runtime.log' for errors ``` **check with tool[greengrass-dependency-checker-GGCv1.11.x]:** ``` Missing required dependencies: 1. It looks like the cgroups directory is not mounted on the device. Refer to the official Greengrass documentation to fix this. ```

Hello, I have developed a Greengrass Java component which I have deployed to a Greengrass Core device. This component is built with the AWS IoT Java SDK and it makes communication between the device shadow of the Greengrass Core device and the Greengrass Core device itself. All communication is via MQTT. This component also enables a mobile app sending `desired` state to the device shadow which is received in the Greengrass Core device. At the moment, I authenticate the component's use of the AWS IoT Java SDK by just using the access key and the secret key like this: ` this.awsClient = new AWSIotMqttClient(clientEndpoint, id, "access_key", "secret_key");` Now, I am aware this is not a best practise and I need to change that and here is my question. I did check the AWS documentation but it seems a bit overwhelming to me regarding authentication in my specific case so I wonder if you can help me out and direct me in what approach I should use here? Thank you in advance.

I'm trying to configure a Greengrass Lambda to accept a binary encoding with the goal of sending a compressed JSON payload. My Lambda configuration looks something like: ``` "componentLambdaParameters": { "inputPayloadEncodingType": "binary", "eventSources": [ { "topic": "my/topic", "type": "IOT_CORE" } ], "linuxProcessParams": { "isolationMode": "NoContainer" }, "pinned": false } ``` I'm using Python/Boto3 to send the messages, and the topic publish looks something like: ``` client = boto3.client("iot-data") payload = gzip.compress(json.dumps({"large": "message"}).encode()) client.publish(topic="my/topic", qos=1, retain=True, payload=payload) ``` I get the following error from the Greengrass Lambda: ``` lambda_runtime.py:183,Cannot parse given invoke payload as JSON: b'my contents' ``` I can send the same message without compressing it (e.g. `payload = json.dumps({"large": "message"}).encode()`), and the Lambda succeeds. That suggests to me that `"inputPayloadEncodingType": "binary"` setting only works if the payload is encoded JSON, but that seems to defeat the purpose of using the binary payload option to send something other than JSON. I'm using the Python 3.8 Lambda runtime with following component versions: ``` "aws.greengrass.LambdaLauncher": { "componentVersion": "2.0.10" }, "aws.greengrass.LambdaManager": { "componentVersion": "2.2.2" }, "aws.greengrass.LambdaRuntimes": { "componentVersion": "2.0.8" }, "aws.greengrass.Nucleus": { "componentVersion": "2.5.5", }, ``` Is there something I might be doing wrong here or any other guidance on accepting a compressed payload? Thanks!

I have a device "Device1" in group A, and there is a deployment in place for that group. Now, I would like to move Device1 to group B, for which there is a different deployment. I removed the device from group A, but the deployment is still running. How can I stop the deployment of group A for this specific device, and remove the components ?

Hello We are using Greengrass v2 with the Sagemaker component in order to do inference on the edge. The following error is seen intermettently while running our application. Could you please advise of anything we can do to avoid it? File "/usr/local/lib/python3.6/dist-packages/grpc/_channel.py", line 946, in __call__ return _end_unary_response_blocking(state, call, False, None) File "/usr/local/lib/python3.6/dist-packages/grpc/_channel.py", line 849, in _end_unary_response_blocking raise _InactiveRpcError(state) grpc._channel._InactiveRpcError: <_InactiveRpcError of RPC that terminated with: status = StatusCode.UNAVAILABLE details = "Socket closed" debug_error_string = "{"created":"@1650459124.460491853","description":"Error received from peer unix:/tmp/aws.greengrass.SageMakerEdgeManager.sock","file":"src/core/lib/surface/call.cc","file_line":906,"grpc_message":"Socket closed","grpc_status":14}"

Hello, When using Greengrass v2 with Sagemaker component the intermittent error below is seen when the device powers off and on. Could you please advise what could be the possible errors? eturn self.client.ListModels(agent_pb2.ListModelsRequest()) File "/usr/local/lib/python3.6/dist-packages/grpc/_channel.py", line 923, in call return _end_unary_response_blocking(state, call, False, None) File "/usr/local/lib/python3.6/dist-packages/grpc/_channel.py", line 826, in _end_unary_response_blocking raise _InactiveRpcError(state) grpc._channel._InactiveRpcError: <_InactiveRpcError of RPC that terminated with: status = StatusCode.UNAVAILABLE details = "failed to connect to all addresses" debug_error_string = "{"created":"@1650457997.824138381","description":"Failed to pick subchannel","file":"src/core/ext/filters/client_channel/client_channel.cc","file_line":4143,"referenced_errors":[{"created":"@1650457988.031111729","description":"failed to connect to all addresses","file":"src/core/ext/filters/client_channel/lb_policy/pick_first/pick_first.cc","file_line":398,"grpc_status":14}]}"

I'm trying to reset my v1 AWS Deeplense using the instructions given in the AWS documentation. But, when I restart my device using BIOS setting I'm getting following error: "can't read CTR while initializing i8042" and then I'm routed to initramfs prompt. I tried multiple things to resolve this error: 1. I tried changing changing my pen drive 2. I tried executing steps via both Ubuntu and windows machines 3. I also tried formatting my USB stick in multiple ways 4. I tried exiting a couple of times on initramfs prompt But, none of these steps work. I don't understand why this is happening. Can you please help me reset my device to factory setting?

Hello, We are using GreenGrass v2 and would like to have logs pushed as frequently as possible. We understand the limitation for certain components (eg telemetry) but our application logs should be sent as near real time as we can. Currently, regardless of the configurations set our logs are only sent intermittently to CloudWatch. Logs are seen every few hours or even few days. Could anyone please help us understand whats happening? We are using the following configuration: ``` 'aws.greengrass.Nucleus': { componentVersion: '2.4.0', configurationUpdate: { merge: `{ "logging" : { "level" : "DEBUG", "format" : "JSON" } }`, }, }, 'aws.greengrass.LogManager': { componentVersion: '2.2.1', configurationUpdate: { merge: `{ "logsUploaderConfiguration": { "systemLogsConfiguration": { "uploadToCloudWatch": "true", "minimumLogLevel": "DEBUG", "diskSpaceLimit": "2", "diskSpaceLimitUnit": "KB", "deleteLogFileAfterCloudUpload": "true" }, "componentLogsConfigurationMap": { "com.component1": { "minimumLogLevel": "DEBUG", "diskSpaceLimit": "2", "logFileDirectoryPath": "/greengrass/v2/logs/", "logFileRegex": "com.component1\\\\w*.log", "diskSpaceLimitUnit": "KB", "deleteLogFileAfterCloudUpload": "true" }, "com.component2": { "minimumLogLevel": "DEBUG", "diskSpaceLimit": "2", "logFileDirectoryPath": "/greengrass/v2/logs/", "logFileRegex": "com.component2\\\\w*.log", "diskSpaceLimitUnit": "KB", "deleteLogFileAfterCloudUpload": "true" }, "aws.greengrass.SageMakerEdgeManager": { "minimumLogLevel": "DEBUG", "logFileDirectoryPath": "/greengrass/v2/logs/", "logFileRegex": "aws.greengrass.SageMakerEdgeManager\\\\w*.log", "diskSpaceLimit": "2", "diskSpaceLimitUnit": "KB", "deleteLogFileAfterCloudUpload": "true" }, "aws.greengrass.SecureTunneling": { "minimumLogLevel": "DEBUG", "logFileDirectoryPath": "/greengrass/v2/logs/", "logFileRegex": "aws.greengrass.SecureTunneling\\\\w*.log", "diskSpaceLimit": "2", "diskSpaceLimitUnit": "KB", "deleteLogFileAfterCloudUpload": "true" } } }, "periodicUploadIntervalSec": "10" }`, }, }, ```

I have multiple device to which my component is deployed to. I added a new device "my-device15", but the component was not properly started on it. I SSH'd into the device and fixed the problem. Can I retry the deployment only on this device without revising the deployment (since that would impact all the other device)?

I'd like to use a device's Thing name in the MQTT topic subscription for a Greengrass Lambda, e.g.: ``` { "topic": "hello/${AWS_IOT_THING_NAME}", "type": "IOT_CORE" } ``` This question was asked a year ago and the guidance was that this sort of configuration was not possible at that time, and instead one might setup the subscription manually within a pinned Lambda or custom component: https://repost.aws/questions/QU5dTq6p3mTsyT5dFPMtWvGA/v-2-use-thing-name-in-mqtt-topic-for-triggering-lambda Is that still the case today? Alternatively, would it be possible to use the configuration merge feature to modify the Lambda subscription to a device-specific topic after deployment or some other simple workaround? Apologies for the duplicate question if indeed the guidance is still the same as before!

Hi, For audit trail/security purposes we would like to store a log of AWS IoT Secure Tunnel instances, including dates, durations, etc. If possible, even the originating IP address. What would be the easiest way to log IoT Secure Tunnel instances in Cloudwatch ? I can see that tunnels are displayed in the IoT dash, but these disappear if the tunnel is deleted. Current setup: - Secure Tunnel Component deployed via Greengrass - Using the provided docker-run.sh / localproxy cli method to connect - If we wish to close tunnels before timeout we are using the "close/delete" tunnel method via the AWS dash

Hi, Please provide the tutorials in greengrass v2 document related to publishing the messages to IoT core from an imported lambda using greengrass v2.

I am trying to use lambdas on greengrass v2. I created and packaged the hello world lambda from the greengrass tutorial and deployed it to the core but it continues to error out. It doesnt seem to run to completion, or the lambda isnt getting called correctly and the core reports it as timed out. This is the stacktrace. How do I get this lambda to work in greeengrass v2? com.aws.greengrass.lambdamanager.StatusTimeoutException: Lambda status not received within timeout at com.aws.greengrass.lambdamanager.Lambda.lambda$createInstanceKeepAliveTask$5(Lambda.java:282) at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:539) at java.base/java.util.concurrent.FutureTask.runAndReset(FutureTask.java:305) at java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:305) at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136) at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) at java.base/java.lang.Thread.run(Thread.java:833) aws.greengrass.LambdaManager 2.2.2 using Python Python 3.7 With the following hello world lambda ``` import json import awsiot.greengrasscoreipc import awsiot.greengrasscoreipc.client as client from awsiot.greengrasscoreipc.model import ( QOS, PublishToIoTCoreRequest ) TIMEOUT = 10 ipc_client = awsiot.greengrasscoreipc.connect() def greengrass_hello_world_run(): topic = "my/topic" message = "Hello, World" qos = QOS.AT_LEAST_ONCE request = PublishToIoTCoreRequest() request.topic_name = topic request.payload = bytes(message, "utf-8") request.qos = qos operation = ipc_client.new_publish_to_iot_core() operation.activate(request) future = operation.get_response() future.result(TIMEOUT) Timer(5, greengrass_hello_world_run).start() greengrass_hello_world_run() def lambda_handler(event, context): return ```

Hello All, First question: I'm trying to setup AWS IoT Greengrass V2 with a VPC Endpoint. I have setup the VPC Endpoint in a private subnet, however, when GG deployments occur i see errors in Greengrass logs as below, **greengras-ats**.ap-northeast-2.amazonaws.com:8443. Caused by: org.apache.http.conn.HttpHostConnectException: Connect to greengrass-ats.iot.ap-northeast-2.amazonaws.com:8443 The VPC Endpoint has the following DNS names, * greengrass.ap-northeast-2.amazonaws.com (**no ats**) * 3 DNS entries starting with vpce... Please can you provide or point me to a definitive guide on how VPC endpoints needs to setup for Greengrass V2 - https://docs.aws.amazon.com/greengrass/v2/developerguide/vpc-interface-endpoints.html , but this is not helping much. I also observed that the port 443 is able to be reached via the VPC Endpoint, but not 8443 for some reason. i have tried creating a Private Hosted zone on Route 53, it works, however the port 8443 problem still exists. Second question: is there a way to configure nucleus to port GreengrassDataPlanePort 443, when installing the GG V2, what are the steps? Thank you.

Hello, I recently onboarded one of 30 rpi's which acts like a streaming device using KVS ont aws iot Greengrass v2. I have tried with custom components and deploying them and all works fine but when i create a custom job like Amazon managed templates for rebooting the device, the greengrass is not recieving anything and the job stays in Queued State forever. I am trying to post a Snapshot type job. Any help is appreciated.

Hi, I am working on a greengrass V2 project that uses CDK to automate the deployment. Everything is working up to now. However, I would like to use the public shadow manager greengrass v2 component in the deployment. From the console, I can manually add the aws.greengrass.ShadowManager to the deployment. However, I would like to add this component programmatically using CDK. I copied the component recipe for the shadow manager and it shows that the URI is for example. I used this Uri in my CDK typescript template. ``` "Uri": "greengrass:n6*7r*yO*c9*QK*kN*77**G-G*H*bb*08*V*X50_k=/aws.greengrass.ShadowManager.jar" ``` but when I generate and deploy it using CDK I get an error: ``` Invalid Input: Encountered following errors in Artifacts: {greengrass:greengrass:n6*7r*yO*c9*QK*kN*77**G-G*H*bb*08*V*X50_k=/aws.greengrass.ShadowManager.jar = URI format does not meet the S3 URI requirements} ``` Do I need to copy the ShadowManager.jar to my S3 bucket and if so where can I download the ShadowManager.jar file from? I cant seem find any information on how I can deploy a public component such as the aws.greengrass.ShadowManager using CDK. I have been following this guide but this doesnt show how to deploy public components using CDK: https://github.com/aws-samples/aws-iot-greengrass-v2-using-aws-cdk Is there a good guide on deploying greengrass v2 public components using CDK? Could anyone be able to provide some guidance? Many thanks Oide

Is there a way to deploy a component with different configuration for each device group or tag ? We have different kind of device that should have slightly different component behavior. For instance, a device A may not want to use sensor X. Is there a way to have a deployment that deploys to all my devices, but has a configuration parameter specifically for device A ? I could implement htat using an API call ListTagsForResource but that would happen too late in my workflow. I could also have two different deployments with different config, but then I have no guarantee that all my device are running the same component version, plus the logic would now be replicated in two deployments. Edit: There seems to be a way to achieve it by setting "platformOverride" to the nucleus component, altough I am not sure how that would be done

Hello, there was a problem connecting the Greengrass Lambda function https://docs.aws.amazon.com/ko_kr/greengrass/v1/developerguide/configs-core.html This is the tutorial I was working on, but there was a problem when distributing the lambda function in the last stage. Deployment failed. And error message is Deployment 42c9ea0c-ac1d-44ce-bcbd-b7e7ca7d0163 of type NewDeployment for group 1e3d2692-8e85-499c-9f70-316a51233e3b failed error: The following cgroup subsystems are not mounted: devices, memory. How can i fix this?

We have a component that starts multiple container on our greengrass device using docker-compose. According to [the documentation](https://docs.aws.amazon.com/greengrass/v2/developerguide/run-docker-container.html), the correct way to provide the private docker images from ECR is to supply them as artefact: "URI": "docker:public.ecr.aws/cloudwatch-agent/cloudwatch-agent:latest" One important aspect of our project is that we can reuse layers of our images. We have limited bandwidth on our devices and images can be big (i.e. PyTorch). If we have modification to do to our images, usually only the last small layer will be updated over the limited bandwidth network. I am worried when we are using images as artifacts, the whole image is going to be re-downloaded. Is that the case ? I currently have a workaround of using the "install" lifecycle step to execute "docker-compose pull" and removing the artifacts, but that has the issue of being run on reboot, while I would rather only have it update the images when there is a new deployment.

Trying to use provision by claim and provisioning hook to admit the device. The provisioning hook output will return a formatted thingName rather than the name passed into the provisioning hook, >const requestedThingName = input.parameters.ThingName; > >.... > const output = { allowProvisioning: True, parameterOverrides: { ThingName: newThingName, }, this works, but on the device side, after iot mqtt session successfully established, in /greengrass/v2/config/effectiveConfig.yaml, the file looks like this: >system: > >certificateFilePath: "" > >privateKeyPath: "" > rootCaPath: "" > rootpath: "/greengrass/v2" > >thingName: "" > >services: > >aws.greengrass.FleetProvisioningByClaim: > >configuration: I would expect, updated thingName is there under thingName key. I can only see the newThingName in config.tlog: {"TS":1649181903995,"TP":["setenv","AWS_IOT_THING_NAME"],"W":"changed","V":"newThingName"} I think effectiveConfig.yaml should be updated.

Hi there, I am trying to write meta data to a file and upload it to s3 here is what i have. I am not sure what is the correct format for the user_metadata ``` class MediaMeta(BaseModel): data:str s3_export_task_definition = S3ExportTaskDefinition(input_url=self.src_file_path, bucket=self.bucket_name, key=self.key_to_file, user_metadata=meta_data.dict()) ``` thanks for your help

I try and connect from a client device over localMQTT to the broker on the greengrass core. However, when I connect, I get this error on the awsiotsdk side. I ran an almost identical script to this a couple months ago and I don't think it had the same problems. ``` Traceback (most recent call last): File "client_v2.py", line 76, in <module> connect_future.result() File "/Users/username/.pyenv/versions/3.8.11/lib/python3.8/concurrent/futures/_base.py", line 444, in result return self.__get_result() File "/Users/username/.pyenv/versions/3.8.11/lib/python3.8/concurrent/futures/_base.py", line 389, in __get_result raise self._exception awscrt.exceptions.AwsCrtError: AWS_IO_TLS_ERROR_NEGOTIATION_FAILURE: TLS (SSL) negotiation failed ``` On the Core side, I have just the Moquette broker and the bridge and a component that subscribes to the messages coming off of LocalMqtt and through the bridge. This is the message in greengrass.log ``` 2022-04-05T07:00:56.397Z [ERROR] (nioEventLoopGroup-7-10) io.moquette.broker.NewNettyMQTTHandler: Unexpected exception while processing MQTT message. Closing Netty channel. CId=null. {} io.netty.handler.codec.DecoderException: javax.net.ssl.SSLProtocolException: Received close_notify during handshake at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:478) at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:276) at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379) at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365) at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357) at io.netty.handler.timeout.IdleStateHandler.channelRead(IdleStateHandler.java:286) at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379) at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365) at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357) at io.moquette.broker.metrics.BytesMetricsHandler.channelRead(BytesMetricsHandler.java:51) at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379) at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365) at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357) at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410) at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379) at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365) at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919) at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:166) at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:719) at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:655) at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:581) at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:493) at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:989) at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30) at java.base/java.lang.Thread.run(Thread.java:829) Caused by: javax.net.ssl.SSLProtocolException: Received close_notify during handshake at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:129) at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117) at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:339) at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:295) at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:286) at java.base/sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:250) at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:185) at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:172) at java.base/sun.security.ssl.SSLEngineImpl.decode(SSLEngineImpl.java:681) at java.base/sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:636) at java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:454) at java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:433) at java.base/javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:637) at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:282) at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1387) at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1282) at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1329) at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:508) at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:447) ... 25 more 2022-04-05T07:00:56.399Z [INFO] (nioEventLoopGroup-7-10) io.moquette.broker.metrics.MQTTMessageLogger: Channel Inactive. {} ``` I'm using the mqtt_connection_builder.mtls_from_path function to create my connection setup between the client and the core, but obviously during the connect function itself it breaks because of the TLS handshake.

I am trying out GreenGrass v2 to see if it would fit our need to deploy our stack using docker-compose to our IoT devices. I have followed the steps [here](https://docs.aws.amazon.com/greengrass/v2/developerguide/run-docker-container.html) and setup a device with a deployment (i.e. 1.0.1). I am not exactly clear how components interact with docker-compose, it seems that even when I stop a container manually, it will reset on reboot. That is not a problem, but it also looks like when I publish a new deployment (i.e. 1.0.2), I still have containers from 1.0.1 still running, which ends up throwing errors because they are trying to access the same ressource. What is the correct approach to stop the docker-compose stack when I deploy a new update ?

Hi there, I have tried ``` RecipeFormatVersion: '2020-01-25' ComponentName: "{COMPONENT_NAME}" ComponentVersion: "{COMPONENT_VERSION}" ComponentDescription: '' ComponentPublisher: "{COMPONENT_AUTHOR}" ComponentConfiguration: DefaultConfiguration: secretArn: 'no_secret' Manifests: - Platform: os: linux Artifacts: - URI: s3://BUCKET_NAME/COMPONENT_NAME/COMPONENT_VERSION/secret_loader.zip Unarchive: ZIP Lifecycle: Setenv: SECRET_ARN={configuration:/secretArn} Install: python3 -m pip install --user -r {artifacts:decompressedPath}/secret_loader/requirements.txt Run: | export SECRET_ARN={configuration:/secretArn} python3 -u {artifacts:decompressedPath}/secret_loader/main.py ``` but still the component cant get the variable: `SECRET_ARN=os.getenv('SECRET_ARN')`

Hi. I have created a Greengrass fleet deployment workflow for my devices which works great - cloud resources are provisioned, claim certs are used to obtain device individual certs, and device gets connected. However in production environment the scenario will be different: 1. An IoT device is installed by an engineer in a newly built home, with no occupiers and no internet connection. 2. The Greengrass is ready to claim device certs and connect as soon as the device is powered up. 3. The device then is powered up by the installing engineer, meaning the Greengrass fleet provisioning plugin will try to do its job, but there is no internet connection, so it will fail. 4. The engineer will leave the device on, and it will be permanently on since now on. 5. The occupiers will move in some time later and install their broadband router, the Internet is now available. At this point, from my tests, I noticed the Greengrass/provisioning plugin won't detect Internet connection and won't try to register the device/obtain certs - meaning there is no retry functionality implemented. I understand that the device can be rebooted or Greengrass service restarted to initialize new registration attempt, however - if possible I'd like to avoid occupiers fiddling with the device, and prefer the device to the retry automatically. I also understand that I can write a software that will be automatically cyclically restarting the Greengrass service if the previous registration attempt failed (probably by checking if the thingCert.crt is present) but before I'll spend my time on coding, **the question is**: Is it possible to configure Greengrass to retry delayed provisioning using claim certificates if previous attempt has failed? Appreciate any help.

Hi there I have some problem with stream manager in ggv1, I can fix this after I reboot the device. However I dont think this is a good solution. Do you have any suggestion where I can look into ``` [2022-04-01T09:19:31.876+11:00][INFO]-imageCamera.py:108,>>> Get frame atm hour:9 - sleep_time:11 s [2022-04-01T09:19:31.876+11:00][INFO]-imageCamera.py:112,>>> Frame size from rtsp: (720, 1280, 3) [2022-04-01T09:19:31.889+11:00][INFO]-imageCamera.py:119,>>> Resized farme: (720, 1280, 3) [2022-04-01T09:19:32.002+11:00][INFO]-imageCamera.py:144, >>>>> realite-data-image Sleep time: 60 - payload size: 189004 [2022-04-01T09:19:32.002+11:00][INFO]-Response: 1065 [2022-04-01T09:19:39.336+11:00][INFO]-lambda_runtime.py:366,Caught signal 15. Stopping runtime. [2022-04-01T09:20:22.061+11:00][INFO]-imageCamera.py:173,>> Getting hub config ... [2022-04-01T09:20:22.064+11:00][INFO]-ipc_client.py:167,Posting work for function [:function:secret_loader] to http://localhost:8000/2016-11-01/functions/arn:aws:lambfunction:secret_loader [2022-04-01T09:20:22.078+11:00][INFO]-ipc_client.py:177,Work posted with invocation id [14ce6b2c-add7-4dc0-452d-be84d2700e4e] [2022-04-01T09:20:22.078+11:00][INFO]-ipc_client.py:290,Getting work result for invocation id [14ce6b2c-add7-4dc0-452d-be84d2700e4e] from http://localhost:8000/2016-11-01/functions/arn:aws:lambda:ap:function:secret_loader [2022-04-01T09:20:26.32+11:00][INFO]-ipc_client.py:298,Got result for invocation id [14ce6b2c-add7-4dc0-452d-be84d2700e4e] [2022-04-01T09:20:26.321+11:00][INFO]-imageCamera.py:175,>> Done ... [2022-04-01T09:20:26.321+11:00][INFO]-imageCamera.py:180,Setup tranfer stream [2022-04-01T09:20:26.628+11:00][INFO]-imageCamera.py:151, >>> Stream list: ['kstream1'] [2022-04-01T09:20:27.291+11:00][ERROR]-imageCamera.py:209, >>>>> Exception while running: Broken bit parity [2022-04-01T09:20:27.291+11:00][ERROR]-Traceback (most recent call last): [2022-04-01T09:20:27.291+11:00][ERROR]- File "/greengrass/ggc/deployment/lambda/.imageCamera.14/imageCamera.py", line 182, in main [2022-04-01T09:20:27.291+11:00][ERROR]- stream_client=setup_data_stream(stream_name,kinesis_stream_name) [2022-04-01T09:20:27.291+11:00][ERROR]- File "/greengrass/ggc/deployment/lambda/.function.imageCamera.14/imageCamera.py", line 154, in setup_data_stream [2022-04-01T09:20:27.291+11:00][ERROR]- client.delete_message_stream(stream_name=stream_name) [2022-04-01T09:20:27.291+11:00][ERROR]- File "/greengrass/ggc/deployment/lambda/arn.aws.lambda.ap-southeast-Camera.14/greengrasssdk/stream_manager/streammanagerclient.py", line 448, in delete_message_stream [2022-04-01T09:20:27.291+11:00][ERROR]- return Util.sync(self._delete_message_stream(stream_name), loop=self.__loop) [2022-04-01T09:20:27.291+11:00][ERROR]- File "/greengrass/ggc/deployment/lambda/.function.imageCamera.14/greengrasssdk/stream_manager/util.py", line 28, in sync [2022-04-01T09:20:27.291+11:00][ERROR]- return asyncio.run_coroutine_threadsafe(coro, loop=loop).result() [2022-04-01T09:20:27.291+11:00][ERROR]- File "/usr/lib/python3.7/concurrent/futures/_base.py", line 432, in result [2022-04-01T09:20:27.291+11:00][ERROR]- return self.__get_result() [2022-04-01T09:20:27.291+11:00][ERROR]- File "/usr/lib/python3.7/concurrent/futures/_base.py", line 384, in __get_result [2022-04-01T09:20:27.291+11:00][ERROR]- raise self._exception [2022-04-01T09:20:27.291+11:00][ERROR]- File "/greengrass/ggc/deployment/lambda/arn.aws.lambda.ap-southeast-2era.14/greengrasssdk/stream_manager/streammanagerclient.py", line 352, in _delete_message_stream [2022-04-01T09:20:27.291+11:00][ERROR]- Util.raise_on_error_response(delete_stream_response) [2022-04-01T09:20:27.291+11:00][ERROR]- File "/greengrass/ggc/deployment/lambda/ar.imageCamera.14/greengrasssdk/stream_manager/util.py", line 148, in raise_on_error_response [2022-04-01T09:20:27.291+11:00][ERROR]- raise UnknownFailureException(response.error_message, response.status, response.request_id) [2022-04-01T09:20:27.291+11:00][INFO]-imageCamera.py:210,>>> restart module after 10s ```

Hi AWS community: I'm using AWS GreenGrass device shadow service to store some data, I'm interested in version history of device shadow so I could inspect data change over time, does device shadow service support such thing out of box? An alternative I'm exploring is finding out if device shadow supports any triggers so I can call lambda to record current device shadow document. (however I haven't found any documentations about this). Any advices are appreciated. Thank you

Hi there, I am just wondering is there a way that I can reuse my code between the component, kind of like lambda layer eg: ``` foo -- src ---- send_mqtt foo2 -- src ---- send_mqtt ``` So how can i use request the send_mqtt ? Thanks for your help

Hi there, I try to test my component locally, I have this AWS_ERROR_SUCCESS, what is this error btw ? ``` sudo /greengrass/v2/bin/greengrass-cli deployment create --recipeDir ~/Desktop/ms5/greengrass-build/recipes --artifactDir ~/Desktop/ms5/greengrass-build/artifacts --merge ms5=1.0.0 Mar 30, 2022 4:41:56 PM software.amazon.awssdk.eventstreamrpc.EventStreamRPCConnection$1 onConnectionSetup INFO: Socket connection /greengrass/v2/ipc.socket:8033 to server result [AWS_ERROR_SUCCESS] Mar 30, 2022 4:41:56 PM software.amazon.awssdk.eventstreamrpc.EventStreamRPCConnection$1 onProtocolMessage INFO: Connection established with event stream RPC server Local deployment submitted! Deployment Id: 7a45ceaf-8a5b-4c80-9c7e-cf74f4a35344 ``` ``` sudo /greengrass/v2/bin/greengrass-cli deployment status -i 7a45ceaf-8a5b-4c80-9c7e-cf74f4a35344 Mar 30, 2022 4:42:48 PM software.amazon.awssdk.eventstreamrpc.EventStreamRPCConnection$1 onConnectionSetup INFO: Socket connection /greengrass/v2/ipc.socket:8033 to server result [AWS_ERROR_SUCCESS] Mar 30, 2022 4:42:48 PM software.amazon.awssdk.eventstreamrpc.EventStreamRPCConnection$1 onProtocolMessage INFO: Connection established with event stream RPC server 7a45ceaf-8a5b-4c80-9c7e-cf74f4a35344: FAILED ```

I'm considering to monitor the connection status of all Greengrass core and client devices from the Fleet Hub. When interacting with local client devices, Fleet indexing never updates the connection state of the client device. I ran the sample Greengrass discovery application from the "Connect and test client devices" tutorial (https://docs.aws.amazon.com/greengrass/v2/developerguide/client-devices-tutorial.html). I was able to subscribe messages from client device by using MQTT test client, but connection status has been never updated. The connection state was updated when publishing directly to an IoT Core service endpoint from the client device. Can MQTT bridge component relay lifecycle events?

Here is my issue. I have fleet provisioning working good, and I have a deployment that goes to the devices in the group associated with the fleet provisioning. Everything is working fine. When I reset a device, it goes to the provisioning steps again, create a new key/certificate and reconnect to the things with the same name. Great, this way no shadow information is lost. The problem is, after provisioning again, the deployment is not pushed to the re-provisioned device, as if decision to deploy was made based on info on the cloud rather than the local device. How can I make sure that the deployment is pushed to a re-provisioned device? TIA

I'm following these Youtube tutorials: 1. https://www.youtube.com/watch?v=hAZ-nlAaSvw&ab_channel=Michael 2. https://www.youtube.com/watch?v=hAZ-nlAaSvw&ab_channel=Michael I was able to successfully deploy a component that printed "hello world!" based on the first YouTube tutorial. I had no problems reading from the s3 bucket. I'm now deploying a new component version in the second tutorial. I have the following recipe: ``` --- RecipeFormatVersion: '2020-01-25' ComponentName: com.example.HelloWorld ComponentVersion: '1.1.0' ComponentDescription: My first AWS IoT Greengrass component. ComponentPublisher: Me ComponentConfiguration: DefaultConfiguration: {} Manifests: - Platform: os: linux Lifecycle: Run: PYTHONPATH="{artifacts:decompressedPath)/helloWorld/dependencies" python3 -u {artifacts:decompressedPath}/helloWorld/hello_world.py Artifacts: - URI: s3://greengrass-tutorial/com.example.HelloWorld/1.1.0/helloWorld.zip Unarchive: ZIP ``` I have uploaded my helloWorld.zip to the greengrass-tutorial s3 bucket using the aws cli: ``` aws s3 cp ./helloWorld.zip s3://greengrass-tutorial/com.example.HelloWorld/1.1.0/helloWorld.zip ``` the helloWorld.zip contains hello_world.py and a dependencies folder. When I click "Create version" I get the following error message: Invalid Input: Encountered following errors in Artifacts: {s3://greengrass-tutorial/com.example.HelloWorld/1.1.0/helloWorld.zip = Specified artifact resource cannot be accessed} Would anyone be able to help me?

Hi there, How can i set up the EventBridge so that it can catch the ggv2 deployment status events and trigger a lambda.

Hi there I tried to deploy a component to a new provisioned device, however i encounter this error com.aws.greengrass.deployment.DeploymentConfigMerger: merge-config. merge-config-service BROKEN here is part of the logs ``` 2022-03-20T23:26:34.797Z [INFO] (pool-2-thread-6) com.aws.greengrass.componentmanager.ComponentManager: Found running component which meets the requirement and use it.. {ComponentIdentifier=rtt.ancillary-v1.0.1} 2022-03-20T23:26:34.798Z [INFO] (pool-2-thread-6) com.aws.greengrass.componentmanager.ComponentManager: Found the best local candidate that satisfies the requirement.. {LocalCandidateId=rtt.ancillary-v1.0.1} 2022-03-20T23:26:35.377Z [INFO] (pool-2-thread-6) com.aws.greengrass.componentmanager.ComponentManager: resolve-component-version-end. Resolved component version.. {ResolvedComponent=rtt.ancillary-v1.0.1} 2022-03-20T23:26:35.409Z [INFO] (pool-2-thread-6) com.aws.greengrass.componentmanager.DependencyResolver: resolve-group-dependencies-finish. Finish resolving group dependencies. {resolvedComponents={rtt.ancillary=ComponentMetadata(componentIdentifier=rtt.ancillary-v1.0.1, dependencies={})}, componentToVersionRequirements={rtt.ancillary={thing/test123==1.0.1}}} 2022-03-20T23:26:35.439Z [INFO] (pool-2-thread-6) com.aws.greengrass.componentmanager.ComponentManager: prepare-package-start. {packageIdentifier=rtt.ancillary-v1.0.1} 2022-03-20T23:26:35.502Z [INFO] (pool-2-thread-5) com.aws.greengrass.lifecyclemanager.UpdateSystemPolicyService: register-service-update-action. {action=0-071b-439e-9e57-303d24e2748f, serviceName=UpdateSystemPolicyService, currentState=RUNNING} 2022-03-20T23:26:35.508Z [INFO] (pool-2-thread-6) com.aws.greengrass.lifecyclemanager.UpdateSystemPolicyService: service-update-start. {serviceName=UpdateSystemPolicyService, currentState=RUNNING} 2022-03-20T23:26:35.513Z [INFO] (pool-2-thread-6) com.aws.greengrass.deployment.DeploymentConfigMerger: merge-config. Applying deployment changes, deployment cannot be cancelled now. {deployment=07e027a5-071b-439e-9e57-303d24e2748f} 2022-03-20T23:26:35.514Z [INFO] (pool-2-thread-6) com.aws.greengrass.deployment.DeploymentDirectoryManager: Persist configuration snapshot. {file=/greengrass/v2/deployments/07e027a5-071b-439e-9e57-303d24e2748f/rollback_snapshot.tlog} 2022-03-20T23:26:35.574Z [INFO] (main-lifecycle) com.aws.greengrass.lifecyclemanager.GenericExternalService: service-set-state. {serviceName=main, currentState=FINISHED, newState=INSTALLED} 2022-03-20T23:26:35.587Z [INFO] (Serialized listener processor) com.aws.greengrass.lifecyclemanager.GenericExternalService: service-config-change. Requesting restart for component. {configNode=services.main.lifecycle, serviceName=main, currentState=INSTALLED} 2022-03-20T23:26:35.804Z [ERROR] (pool-2-thread-14) com.aws.greengrass.lifecyclemanager.GenericExternalService: service-errored. {reason=Script errored in install, serviceName=rtt.ancillary, currentState=NEW} 2022-03-20T23:26:35.806Z [INFO] (rtt.ancillary-lifecycle) com.aws.greengrass.lifecyclemanager.GenericExternalService: service-set-state. {serviceName=rtt.ancillary, currentState=NEW, newState=ERRORED} 2022-03-20T23:26:35.807Z [INFO] (rtt.ancillary-lifecycle) com.aws.greengrass.lifecyclemanager.GenericExternalService: service-set-state. {serviceName=rtt.ancillary, currentState=ERRORED, newState=NEW} 2022-03-20T23:26:35.905Z [ERROR] (pool-2-thread-14) com.aws.greengrass.lifecyclemanager.GenericExternalService: service-errored. {reason=Script errored in install, serviceName=rtt.ancillary, currentState=NEW} 2022-03-20T23:26:35.905Z [INFO] (rtt.ancillary-lifecycle) com.aws.greengrass.lifecyclemanager.GenericExternalService: service-set-state. {serviceName=rtt.ancillary, currentState=NEW, newState=ERRORED} 2022-03-20T23:26:35.906Z [INFO] (rtt.ancillary-lifecycle) com.aws.greengrass.lifecyclemanager.GenericExternalService: service-set-state. {serviceName=rtt.ancillary, currentState=ERRORED, newState=NEW} 2022-03-20T23:26:35.996Z [ERROR] (pool-2-thread-14) com.aws.greengrass.lifecyclemanager.GenericExternalService: service-errored. {reason=Script errored in install, serviceName=rtt.ancillary, currentState=NEW} 2022-03-20T23:26:35.997Z [INFO] (rtt.ancillary-lifecycle) com.aws.greengrass.lifecyclemanager.GenericExternalService: service-set-state. {serviceName=rtt.ancillary, currentState=NEW, newState=BROKEN} 2022-03-20T23:26:35.997Z [ERROR] (rtt.ancillary-lifecycle) com.aws.greengrass.lifecyclemanager.GenericExternalService: service-broken. service is broken. Deployment is needed. {serviceName=rtt.ancillary, currentState=BROKEN} 2022-03-20T23:26:36.701Z [WARN] (pool-2-thread-6) com.aws.greengrass.deployment.DeploymentConfigMerger: merge-config. merge-config-service BROKEN. {serviceName=rtt.ancillary} 2022-03-20T23:26:36.702Z [ERROR] (pool-2-thread-6) com.aws.greengrass.deployment.activator.DeploymentActivator: merge-config. Deployment failed. {deploymentId=07e027a5-439e-9e57-303d24e} com.aws.greengrass.deployment.exceptions.ServiceUpdateException: Service rtt.ancillary in broken state after deployment at com.aws.greengrass.deployment.DeploymentConfigMerger.waitForServicesToStart(DeploymentConfigMerger.java:194) at com.aws.greengrass.deployment.activator.DefaultActivator.activate(DefaultActivator.java:84) at com.aws.greengrass.deployment.DeploymentConfigMerger.updateActionForDeployment(DeploymentConfigMerger.java:150) at com.aws.greengrass.deployment.DeploymentConfigMerger.lambda$mergeInNewConfig$0(DeploymentConfigMerger.java:102) at com.aws.greengrass.lifecyclemanager.UpdateSystemPolicyService.runUpdateActions(UpdateSystemPolicyService.java:95) at com.aws.greengrass.lifecyclemanager.UpdateSystemPolicyService.lambda$startup$0(UpdateSystemPolicyService.java:165) at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515) at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) at java.base/java.lang.Thread.run(Thread.java:834) 2022-03-20T23:26:36.708Z [INFO] (pool-2-thread-6) com.aws.greengrass.deployment.activator.DeploymentActivator: merge-config. Rolling back failed deployment. {deploymentId=07e027a5-071b-9e57-303d} 2022-03-20T23:26:36.769Z [INFO] (pool-2-thread-6) com.aws.greengrass.config.ConfigurationWriter: truncate-tlog. queued immediate truncation. {} 2022-03-20T23:26:36.882Z [INFO] (Serialized listener processor) com.aws.greengrass.config.ConfigurationWriter: truncate-tlog. completed successfully. {} 2022-03-20T23:26:36.889Z [INFO] (pool-2-thread-6) com.aws.greengrass.deployment.DeploymentConfigMerger: merge-config. Removing services. {service-to-remove=[rtt.ancillary]} 2022-03-20T23:26:36.889Z [INFO] (pool-2-thread-14) com.aws.greengrass.lifecyclemanager.GenericExternalService: service-close. Service is now closing. {serviceName=rtt.ancillary, currentState=BROKEN} ``` here is my deployment config ``` { "targetArn": "arn:aws:iot::thing/test123", "revisionId": "2", "deploymentId": "07e027a5-9e57-303d2", "deploymentName": "update firmware", "deploymentStatus": "ACTIVE", "components": { "rtt.ancillary": { "componentVersion": "1.0.1", "configurationUpdate": { "merge": "{\"thing_name\":\"test_name\"}" } } }, "deploymentPolicies": { "failureHandlingPolicy": "ROLLBACK", "componentUpdatePolicy": { "timeoutInSeconds": 30, "action": "NOTIFY_COMPONENTS" }, "configurationValidationPolicy": { "timeoutInSeconds": 60 } }, "iotJobConfiguration": { "jobExecutionsRolloutConfig": { "exponentialRate": { "baseRatePerMinute": 5, "incrementFactor": 2.0, "rateIncreaseCriteria": { "numberOfNotifiedThings": 10, "numberOfSucceededThings": 5 } }, "maximumPerMinute": 50 }, "timeoutConfig": { "inProgressTimeoutInMinutes": 15 } }, "creationTimestamp": 1647818095.423, "isLatestForTarget": true, "tags": { "PRODUCT": "GGv2 Deployment" } } ```