Configuring data source authentication - Amazon IoT SiteWise
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Configuring data source authentication

If your OPC-UA server requires authentication credentials to connect, you can use Amazon Secrets Manager to create and deploy a secret to your gateway device. Amazon Secrets Manager encrypts secrets on the device to keep your user name and password secure until you need to use them. For more information, see Secret manager in the Amazon IoT Greengrass Version 2 Developer Guide.

Step 1: Create source authentication secrets

You can use Amazon Secrets Manager to create an authentication secret for your data source. In the secret, define username and password key-value pairs that contain authentication details for your data source.

To create a secret (console)

  1. Navigate to the Amazon Secrets Manager console.

  2. Choose Store a new secret.

  3. Under Secret type, choose Other type of secrets.

  4. Under Key/value pairs, enter a user name in the first input box and a password in the second input box.

  5. For Encryption key, select DefaultEncryptionKey, and then choose Next.

  6. On the Store a new secret page, enter a Secret name.

  7. (Optional) Enter a Description that helps you identify this secret, and then choose Next.

  8. (Optional) On the Store a new secret page, turn on Automatic rotation. For more information, see Rotate secrets in the Amazon Secrets Manager User Guide.

  9. Specify a rotation schedule.

  10. Choose a Lambda function that can rotate this secret, and then choose Next.

  11. Review your secret configurations, and then choose Store.

To authorize your gateway device to interact with Amazon Secrets Manager, the IAM role for your gateway must allow the secretsmanager:GetSecretValue action.

Example policy

Replace secret-arn with the Amazon Resource Name (ARN) of the secret that you created in the previous step. For more information about how to get the ARN of a secret, see Retrieve your secret from Amazon Secrets Manager in the Amazon Secrets Manager User Guide.

{ "Version":"2012-10-17", "Statement":[ { "Action":[ "secretsmanager:GetSecretValue" ], "Effect":"Allow", "Resource":[ "secret-arn" ] } ] }

Step 2: Deploy secrets to your gateway device

You can use the Amazon IoT SiteWise console to deploy secrets to your gateway.

To deploy a secret (console)

  1. Navigate to the Amazon IoT SiteWise console.

  2. In the navigation pane, choose Gateways.

  3. From the Gateways list, choose the target gateway.

  4. In the Gateway configuration section, choose the Greengrass core device link to open the Amazon IoT Greengrass core associated with the gateway.

  5. In the navigation pane, choose Deployments.

  6. Choose the target deployment, and then choose Revise.

  7. On the Specify target page, choose Next.

  8. On the Select components page, in the Public components section, turn off Show only selected components.

  9. Search for and choose the aws.greengrass.SecretManager component, and then choose Next.

  10. From the Selected components list, choose the aws.greengrass.SecretManager component, and then choose Configure component.

  11. In the Configuration to merge field, add the following JSON object.

    Note

    Replace secret-arn with the ARN of the secret that you created in the previous step. For more information about how to get the ARN of a secret, see Retrieve your secret from Amazon Secrets Manager in the Amazon Secrets Manager User Guide.

    { "cloudSecrets":[ { "arn":"secret-arn" } ] }
  12. Choose Confirm.

  13. Choose Next.

  14. On the Configure advanced settings page, choose Next.

  15. Review your deployment configurations, and then choose Deploy.

Step 3: Add authentication configurations

You can use the Amazon IoT SiteWise console to add authentication configurations to your gateway.

To add authentication configurations (console)

  1. Navigate to the Amazon IoT SiteWise console.

  2. From the Gateways list, choose the target gateway.

  3. From the Data sources list, choose the target data source, and then choose Edit.

  4. On the Add a data source page, choose Advanced configuration.

  5. For Authentication configuration, choose the secret that you deployed in the previous step.

  6. Choose Save.