AWS IoT Greengrass - Secrets
![AWS IoT Greengrass - Secrets](/static/1720671191869.86229892933/62553/aws-iot-greengrass-secrets.jpg)
Welcome to the AWS IoT Greengrass - Secrets brick. In this overview we'll go through setting up Secrets at the edge with AWS IoT Greengrass. The specific parts that we will cover can be seen below:
- Create a Greengrass Secret
- Greengrass Lambda function - Access Secrets
- Create Subscriptions
- Deploy and Test Secret Access
The overall goal of this guide is to demonstrate very simply the following workflow:
![AWS IoT Greengrass Secrets Architecture](/static/1720671191869.86229892931/c1b63/aws-iot-greengrass-secrets-diagram.png)
Prerequisites
- AWS Account (Free Tier is acceptable)
- existing Greengrass Group & Device - You will need a device with Greengrass Core deployed on it. You can follow one of our previous guides for this:
Here is an example of a deployed Greengrass Core setup with minimal configuration that we will be using in this guide
![AWS IoT Greengrass Core deployment](/static/1720671191861.86229886951/4cdf7/aws-iot-greengrass-secrets-01.png)
Create a Greengrass Secret
Let's begin by creating a simple secret that will be available at the edge. This could be a Database password or some secret material that we don't want to store in code, but want access to when our IoT device is installed.
Navigate to the AWS IoT Greengrass group that should already be created and click Add a secret resource under the Resources > Secret section.
![Greengrass Create new secret resource](/static/1720671191861.86229886952/91f10/aws-iot-greengrass-secrets-02.png)
You will be presented with a process that asks you to create or select a secret to use. This list shows Secret Manager secrets and currently you probably don't have any available to use. Click Create to create a new one.
![AWS Secrets Manager create secret portal](/static/1720671191861.86229886953/4cdf7/aws-iot-greengrass-secrets-03.png)
NOTE: Read the warning carefully as it tells you that if you name a secret with a
greengrass-
prefix in its name then it is automatically granted access to be used by all AWS IoT Greengrass services.
![AWS Secrets Manager prefix permissions](/static/1720671191861.86229886954/e9beb/aws-iot-greengrass-secrets-04.png)
You will be pushed to the AWS Secrets Manager console where you will need to create a new secret. Go ahead and create something creative, just make sure you've selected Other type of secrets as the secret type. Click Next when you're ready to proceed.
![Secrets Manager new secret](/static/1720671191861.86229886955/00b70/aws-iot-greengrass-secrets-05.png)
Give your secret a name, making sure that it is prefixed by greengrass-
. In my case I've gone with greengrass-Demo-launchcodes but you can be as creative as you want. Click Next when you are ready to move on.
![Secrets Manager secret name](/static/1720671191861.86229886956/6e9ba/aws-iot-greengrass-secrets-06.png)
Click Next on the next screen as well (Configuring automatic rotation). The final screen gives you an overview of the secret we're creating, along with some useful client code to accessing the secret. Click Store to finalize the creation.
![Secrets Manager create secret screen](/static/1720671191861.86229886957/7608e/aws-iot-greengrass-secrets-07.png)
Now that the secret has been created navigate back to the AWS IoT Greengrass group tab and click Refresh on the secret selection page.
![Select new secret for Greengrass group](/static/1720671191861.86229886958/078fe/aws-iot-greengrass-secrets-08.png)
Click on the secret we just created (greengrass-Demo-launchcodes) then click Next on the Select labels page.
![Select labels for Greengrass secret](/static/1720671191861.86229886959/91f10/aws-iot-greengrass-secrets-09.png)
Finally give the Greengrass Secret a name and click Save to finalize its creation.
![Greengrass group secret creation](/static/1720671191861.86229886960/91f10/aws-iot-greengrass-secrets-10.png)
Greengrass Lambda function - Access Secrets
To create a new Lambda function for Greengrass we first need to grab a copy of the Greengrass SDK. For this tutorial we'll be using the Python SDK which can be downloaded from the github repo page.
Download and unzip the SDK to your computer; the following commands can be used if you're on MacOS or Linux.
# Download the Greengrass SDK
wget -O greengrass.zip https://github.com/aws/aws-greengrass-core-sdk-python/archive/v1.5.0.zip
# Unzip the SDK
unzip -q greengrass.zip
You will be left with a directory called aws-greengrass-core-sdk-python-1.5.0 which has a couple subfolders. The important one is greengrasssdk
. In fact delete all the folders except for greengrasssdk
!
Then create a file called secret_demo.py
next to the SDK folder.
![Greengrass SDK folder with python file](/static/1720671191865.86229886961/8ecb0/aws-iot-greengrass-secrets-11.png)
Inside the secret_demo.py
file add the following code for retrieving secret data
import greengrasssdk
secrets_client = greengrasssdk.client('secretsmanager')
message_client = greengrasssdk.client('iot-data')
iot_message = ''
def function_handler(event, context):
# SecretId should match your secret name
response = secrets_client.get_secret_value(SecretId='greengrass-Demo-launchcodes')
secret_value = response.get('SecretString')
if secret_value is None:
iot_message = '[FAILED] Retrieve secret.'
else:
iot_message = '[Success] Retrieved secret.'
# topic can be any topic name that you want to publish to
message_client.publish(topic='iot-demo-pub/secrets', payload=iot_message)
print('published: ' + iot_message)
Now zip the greengrasssdk folder and secret_demo.py files up (not the root folder) into a zip file named whatever you like.
![Zip SDK and secret demo python files](/static/1720671191865.86229886962/18872/aws-iot-greengrass-secrets-12.png)
Head on back to the AWS IoT Greengrass console under your existing Greengrass group and select Add your first Lambda under Lambdas.
![AWS IoT Greengrass create your first lambda](/static/1720671191865.86229886963/75609/aws-iot-greengrass-secrets-13.png)
Click Create new Lambda when prompted which will open up a new Lambda console.
![Create new Lambda select from Greengrass console](/static/1720671191865.86229886964/91f10/aws-iot-greengrass-secrets-14.png)
In the Lambda console Author from scratch a new function and use the Python 3.7 runtime. I've also named the lambda the same thing as our secret just to make things consistent. Click Create function when ready.
![Lambda create new with python runtime](/static/1720671191865.86229886965/4ff83/aws-iot-greengrass-secrets-15.png)
Scroll down to the Function code section and select Upload a .zip file from the Actions drop down.
![Lambda upload a zip file](/static/1720671191865.86229886966/914ae/aws-iot-greengrass-secrets-16.png)
Select the zip file we created in the previous step and click Save.
![Lambda upload and save demo code](/static/1720671191865.86229886967/63ec5/aws-iot-greengrass-secrets-17.png)
Scroll down to Basic settings for the lambda and edit the Handler to match the python file and function we created as well. In this case it is secret_demo.function_handler.
Click Save once the changes have been made.
![Lambda change function handler](/static/1720671191865.86229886968/63ec5/aws-iot-greengrass-secrets-18.png)
Finally head to the top of the Lambda function and select Actions > Publish new version. Click Publish in the follow up prompt.
![Lambda pubish new version](/static/1720671191865.86229886970/3c051/aws-iot-greengrass-secrets-20.png)
Navigate back to the AWS IoT Greengrass console and proceed to Use an existing Lambda function and select the one we just created. Click Next
![AWS IoT Greengrass select existing lambda](/static/1720671191865.86229886969/91f10/aws-iot-greengrass-secrets-19.png)
When prompted for your lambda version, select Version 1 (or whatever the most recent version for you is).
![Greengrass Lambda version select](/static/1720671191865.86229886971/0f7d5/aws-iot-greengrass-secrets-21.png)
Create Subscriptions
In order for the Lambda function and AWS IoT to communicate we also need to create a subscription for the Greengrass group. To do this navigate to the Subscriptions menu and select Add your first Subscription.
![AWS IoT Greengrass creating first subscription](/static/1720671191865.86229886973/4cdf7/aws-iot-greengrass-secrets-23.png)
When asked for the source and target select:
- Source: Lambda (greengrass-Demo-launchcodes)
- Target: Service (IoT Cloud)
Click Next to move on.
![Greegrass subscription source and target](/static/1720671191865.86229886974/0f7d5/aws-iot-greengrass-secrets-24.png)
When prompted for the topic filter, use whatever topic you used in the python source code. In my case I used iot-demo-pub/secrets.
![Greengrass subscription source filter](/static/1720671191865.86229886975/4cdf7/aws-iot-greengrass-secrets-25.png)
Click Next then Finish.
We will also need to create a second subscription that will be used to trigger the Lambda. To do this, repeat the steps above but instead this time select:
- Source: Service (IoT Cloud)
- Topic: iot-demo-pub/trigger
- Target: Lambda (greengrass-Demo-launchcodes)
![Greengrass subscription source and target for lambda function execution](/static/1720671191865.86229892928/91f10/aws-iot-greengrass-secrets-26.png)
Click Next then Finish.
Deploy and Test Secret Access
The final step for this tutorial is to deploy and test the secret we just created. On the Greengrass group select Actions > Deploy to push the Secret and Lambda out to the edge.
![AWS IoT Greengrass run deployment](/static/1720671191865.86229886972/ec3e2/aws-iot-greengrass-secrets-22.png)
Once the deployment shows up as successful, navigate to the Test menu in AWS IoT Core. Input iot-demo-pub/secrets
as the topic you want to subscribe to and click Subscribe to topic.
![AWS IoT Core Test menu](/static/1720671191865.86229892929/74d4e/aws-iot-greengrass-secrets-27.png)
Then simply publish any message you want to iot-demo-pub/trigger
to tell the edge lambda to fire. You should receive back the launch codes from secrets manager.
![AWS IoT Core trigger lambda](/static/1720671191865.86229892930/142fb/aws-iot-greengrass-secrets-28.png)
Summary
Congratulations! You created a Secret for the use at the edge in AWS IoT Greengrass Core. Now you can safely use secrets at the edge!
If you had any issues setting things up, or you have other questions, please let me know by reaching out on Twitter @nathangloverAUS or dropping a comment below.