Token exchange service
The token exchange service component (aws.greengrass.TokenExchangeService) provides Amazon
credentials that you can use to interact with Amazon services in your custom components.
The token exchange service runs as a local server. This
local server connects to the Amazon IoT credentials provider using the Amazon IoT role alias that you
configure in the Greengrass core nucleus
component. The component provides two environment variables,
AWS_CONTAINER_CREDENTIALS_FULL_URI and
AWS_CONTAINER_AUTHORIZATION_TOKEN.
AWS_CONTAINER_CREDENTIALS_FULL_URI defines the URI to this local server. When a
component creates an Amazon SDK client, the client recognizes this URI environment variable and
uses the token in the AWS_CONTAINER_AUTHORIZATION_TOKEN to connect to the token
exchange service and retrieve Amazon credentials. This allows Greengrass core devices to call Amazon
service operations. For more information about how to use this component in custom components,
see Interact with Amazon services.
Important
Support to acquire Amazon credentials in this way was added to the Amazon SDKs on July 13th, 2016. Your component must use an Amazon SDK version that was created on or after that date. For more information, see Using a supported Amazon SDK in the Amazon Elastic Container Service Developer Guide.
Note
Components using the Amazon Default Credential Chain may discover and use other
sources of credentials, if they exist. Within the Amazon Amazon Elastic Container Service (Amazon ECS) container credentials
AWS_CONTAINER_CREDENTIALS_RELATIVE_URI will take precedence over
AWS_CONTAINER_CREDENTIALS_FULL_URI, meaning that token exchange
service credentials may not work within Amazon Elastic Container Service (Amazon ECS).
For more, see standardized credential providers
Versions
This component has the following versions:
-
2.0.x
Type
This component is a generic component (aws.greengrass.generic). The Greengrass nucleus runs the component's lifecycle
scripts.
For more information, see Component types.
Operating system
This component can be installed on core devices that run the following operating systems:
Linux
Windows
Dependencies
This component doesn't have any dependencies.
Configuration
This component provides the following configuration parameters that you can customize when you deploy the component.
port-
The port to use for token exchange service connections. The token exchange service will restart after port configuration changes.
credentialRetryInSec-
Specifies retry intervals in seconds when Token Exchange Service encounters credential request errors.
clientError-
The retry interval in seconds for client errors (4xx HTTP status codes).
Default:
120Valid values:
10to42900 serverError-
The retry interval in seconds for server errors (5xx HTTP status codes).
Default:
60Valid values:
10to42900 unknownError-
The retry interval in seconds for unknown errors (connection errors and HTTP status codes outside the 4xx and 5xx ranges).
Default:
300Valid values:
10to42900
Example: Configuration merge update
{ "port": 2020, "credentialRetryInSec": { "clientError": 30, "serverError": 45, "unknownError": 60 } }
Local log file
This component uses the same log file as the Greengrass nucleus component.
To view this component's logs
-
Run the following command on the core device to view this component's log file in real time. Replace
/greengrass/v2C:\greengrass\v2with the path to the Amazon IoT Greengrass root folder.
Changelog
The following table describes the changes in each version of the component.
|
Version |
Changes |
|---|---|
|
2.0.3 |
Initial version. |