

# Install the Amazon IoT Greengrass Secret Manager component on the device
<a name="gs-install-secrets-manager"></a>

The Amazon Kinesis Video Streams Edge Agent requires the Amazon IoT Greengrass Secret Manager component to be installed on the device first.

**Install the Secret Manager component**

1. Sign in to the Amazon Web Services Management Console and open the Amazon IoT Core console at [https://console.amazonaws.cn/iot/](https://console.amazonaws.cn/iot/). Verify that the appropriate Region is selected.

1. In the left navigation, choose **Greengrass devices**, **Deployments**.

   Choose the deployment with the same target as the thing we created in [Set up the Amazon IoT Greengrass V2 core device on the device](gs-setup-gg.md).

1. In the **Actions** dropdown in the top right corner, choose **Revise**.

   In the pop-up that appears, choose **Revise deployment**.

1. Complete the following sections:
   + **Step 1: Specify target**. Choose **Next**.
   + **Step 2: Select components**.
     + Verify that the **aws.greengrass.Cli** component is selected. Do not uninstall this component.
     + Toggle the **Show only selected components** switch and search for **aws.greengrass.SecretManager**.
     + Check the box next to **aws.greengrass.SecretManager**, then choose **Next**.
   + **Step 3: Configure components**. Configure the Amazon IoT Greengrass Secret Manager component to download the secrets from within the Amazon IoT Greengrass environment.

     Select the **aws.greengrass.SecretManager** component, then choose **Configure component**.

     In the screen that appears, update the Amazon Secrets Manager ARNs in the **Configuration to merge** box.
**Note**  
Replace `arn:aws:secretsmanager:*:*:secret:*` with the ARNs of the secrets that you created in [Create the Amazon Kinesis Video Streams and Amazon Secrets Manager resources for your IP camera RTSP URLs](gs-create-resources.md).

     ```
     {
      "cloudSecrets": [
           {
             "arn": "{{arn:aws:secretsmanager:*:*:secret:*}}"
           },
           {
             "arn": "{{arn:aws:secretsmanager:*:*:secret:*}}"
           }
         ]
     }
     ```
**Note**  
`cloudSecrets` is a list of objects with the key `arn`. For more information, see the [Secret manager configuration](https://docs.amazonaws.cn//greengrass/v2/developerguide/secret-manager-component.html#secret-manager-component-configuration) section in the Amazon IoT Greengrass Version 2 Developer Guide. 

     When you're done, select **Confirm**, then choose **Next**.
   + **Step 4: Configure advanced settings**. Select **Next**.
   + **Step 5: Review**. Select **Deploy**.

1. Confirm that the Amazon Secrets Manager component and permissions were installed correctly.

   On the Ubuntu Amazon EC2 instance, type `sudo /greengrass/v2/bin/greengrass-cli component details --name aws.greengrass.SecretManager` to verify that the component received the updated configuration.

1. Inspect the Amazon IoT Greengrass core logs.

   Type `sudo less /greengrass/v2/logs/greengrass.log`.

   Review for deployment errors. 

   If there was an error, revise the deployment to remove the `aws.greengrass.SecretManager` component.

   Type `sudo service greengrass restart` to restart the Amazon IoT Greengrass core service.

   If the deployment error was related to missing permissions, review the [Add permissions to the token exchange service (TES) role](gs-add-permissions.md) section to make sure that the TES role has the proper permissions. Then, repeat this section.

1. **Update the secrets on the Amazon IoT Greengrass Secret Manager component**
**Important**  
The Amazon IoT Greengrass Secret Manager component fetches and caches secrets only when the deployment is updated.

   In order to update the secrets on the Amazon IoT Greengrass Secret Manager component, follow the preceding steps 1–6, with the following change.

   **Step 3: Configure components**. Configure the Amazon IoT Greengrass Secret Manager component to download the secrets from within the Amazon IoT Greengrass environment.

   Select the **aws.greengrass.SecretManager** component, then choose **Configure component**.

   In the screen that appears, paste `[""]` in the **Reset paths** box, and update the Amazon Secrets Manager ARNs in the **Configuration to merge** box.

   For more information, see [Reset updates](https://docs.amazonaws.cn//greengrass/v2/developerguide/update-component-configurations.html#reset-configuration-update).