Step 5: Install the Amazon IoT Greengrass Secret Manager component on the device

Install the Secret Manager component

1. Sign in to the Amazon Web Services Management Console and open the Amazon IoT Core console at https://console.amazonaws.cn/iot/. Verify that the appropriate Region is selected.

2. In the left navigation, choose Greengrass devices, Deployments.

   Choose the deployment with the same target as the thing we created in Step 2: Set up the Amazon IoT Greengrass V2 core device on the device.

3. In the Actions dropdown in the top right corner, choose Revise.

   In the pop-up that appears, choose Revise deployment.

4. Complete the following sections:

   • Step 1: Specify target. Choose Next.

   • Step 2: Select components.

     • Verify that the aws.greengrass.Cli component is selected. Do not uninstall this component.

     • Toggle the Show only selected components switch and search for aws.greengrass.SecretManager.

     • Check the box next to aws.greengrass.SecretManager, then choose Next.

   • Step 3: Configure components. Configure the Amazon IoT Greengrass Secret Manager component to download the secrets from within the Amazon IoT Greengrass environment.

     Select the aws.greengrass.SecretManager component, then choose Configure component.

     In the screen that appears, update the Amazon Secrets Manager ARNs in the Configuration to merge box.

     Note

     Replace arn:aws:secretsmanager:*:*:secret:* with the ARNs of the secrets that you created in Step 3: Create the Amazon Kinesis Video Streams and Amazon Secrets Manager resources for your IP camera RTSP URLs.

     {
      "cloudSecrets": [
           {
             "arn": "arn:aws:secretsmanager:*:*:secret:*"
           },
           {
             "arn": "arn:aws:secretsmanager:*:*:secret:*"
           }
         ]
     }

     Note

     cloudSecrets is a list of objects with the key arn. For more information, see the Secret manager configuration section in the Amazon IoT Greengrass Version 2 Developer Guide.

     When you're done, select Confirm, then choose Next.

   • Step 4: Configure advanced settings. Select Next.

   • Step 5: Review. Select Deploy.

5. Confirm that the Amazon Secrets Manager component and permissions were installed correctly.

   On the Ubuntu Amazon EC2 instance, type sudo /greengrass/v2/bin/greengrass-cli component details --name aws.greengrass.SecretManager to verify that the component received the updated configuration.

6. Inspect the Amazon IoT Greengrass core logs.

   Type sudo less /greengrass/v2/logs/greengrass.log.

   Review for deployment errors.

   If there was an error, revise the deployment to remove the aws.greengrass.SecretManager component.

   Type sudo service greengrass restart to restart the Amazon IoT Greengrass core service.

   If the deployment error was related to missing permissions, review the Step 4: Add permissions to the token exchange service (TES) role section to make sure that the TES role has the proper permissions. Then, repeat this section.

    

   Important

   The Amazon IoT Greengrass Secret Manager component fetches and caches secrets only when the deployment is updated.

   In order to update the secrets on the Amazon IoT Greengrass Secret Manager component, follow the preceding steps 1–6, with the following change.

   Step 3: Configure components. Configure the Amazon IoT Greengrass Secret Manager component to download the secrets from within the Amazon IoT Greengrass environment.

   Select the aws.greengrass.SecretManager component, then choose Configure component.

   In the screen that appears, paste [""] in the Reset paths box, and update the Amazon Secrets Manager ARNs in the Configuration to merge box.

   For more information, see Reset updates.