Interact with AWS services
Greengrass core devices use X.509 certificates to connect to AWS IoT Core using TLS mutual authentication protocols. These certificates let devices interact with AWS IoT without AWS credentials, which typically comprise an access key ID and a secret access key. Other AWS services require AWS credentials instead of X.509 certificates to call API operations at service endpoints. AWS IoT Core has a credentials provider that enables devices to use their X.509 certificate to authenticate AWS requests. The AWS IoT credentials provider authenticates devices using an X.509 certificate and issues AWS credentials in the form a temporary, limited-privilege security token. Devices can use this token to sign and authenticate any AWS request. This eliminates the need to store AWS credentials on Greengrass core devices. For more information, see Authorizing direct calls to AWS services in the AWS IoT Core Developer Guide.
To fetch credentials from AWS IoT, Greengrass, core devices use an AWS IoT role alias that points to
an IAM role. This IAM role is called the token exchange role. You
create the role alias and token exchange role when you install the AWS IoT Greengrass Core software. To specify
the role alias that a core device uses, configure the iotRoleAlias
parameter of the
Greengrass nucleus.
The AWS IoT credentials provider assumes the token exchange role on your behalf to provide AWS credentials to core devices. You can attach appropriate IAM policies to this role to allow your core devices access to your AWS resources, such as components artifacts in S3 buckets. For more information about how to configure the token exchange role, see Authorize core devices to interact with AWS services.
Greengrass core devices store AWS credentials in memory, and the credentials expire after an hour by default. If the AWS IoT Greengrass Core software restarts, it must fetch credentials again. You can use the UpdateRoleAlias operation to configure the duration that credentials are valid.
AWS IoT Greengrass provides a public component, the token exchange service component, that you can define
as a dependency in your custom component to interact with AWS services. The token exchange
service provides your component with an environment variable,
AWS_CONTAINER_CREDENTIALS_FULL_URI
, that defines the URI to a local server that
provides AWS credentials. When you create an AWS SDK client, the client checks for this
environment variable and connects to the local server to retrieve AWS credentials and uses
them to sign API requests. This lets you use AWS SDKs and other tools to call AWS services
in your components. For more information, see Token exchange service.
Important
Support to acquire AWS credentials in this way was added to the AWS SDKs on July 13th, 2016. Your component must use an AWS SDK version that was created on or after that date. For more information, see Using a supported AWS SDK in the Amazon Elastic Container Service Developer Guide.
To acquire AWS credentials in your custom component, define
aws.greengrass.TokenExchangeService
as a dependency in the component recipe. The
following example recipe defines a component that installs boto3
Note
To run this example component, your device must have the s3:ListAllMyBuckets
permission. For more information, see Authorize core devices to interact with AWS
services.
This example component runs the following Python script,
list_s3_buckets.py
that lists Amazon S3 buckets.
import boto3 import os try: print("Creating boto3 S3 client...") s3 = boto3.client('s3') print("Successfully created boto3 S3 client") except Exception as e: print("Failed to create boto3 s3 client. Error: " + str(e)) exit(1) try: print("Listing S3 buckets...") response = s3.list_buckets() for bucket in response['Buckets']: print(f'\t{bucket["Name"]}') print("Successfully listed S3 buckets") except Exception as e: print("Failed to list S3 buckets. Error: " + str(e)) exit(1)