search

aws-samples / aws-greengrass-lambda-functions

Example local Lambda functions that can be used with AWS Greengrass and the AWS Greengrass Provisioner.
MIT No Attribution
64 stars 40 forks source link

Documentation for CDDDocker #320

Closed QuinnCiccoretti closed 5 years ago

QuinnCiccoretti commented 5 years ago

I would like to pull containers from ECR without giving my AWS credentials to an edge device, or at least without giving that device more permissions than needed. Is there any documentation on how CDDDocker gets credentials/authorization to pull from ECR?

timmattison commented 5 years ago

In the case of CDDDocker it gets the AWS credentials from a Greengrass feature called the Token Exchange Service (TES). This service is tied into the Greengrass Core SDKs that you use in your Greengrass Lambda functions. As long as you are using the Greengrass Core SDKs instead of the regular AWS SDKs in your Lambda functions you'll automatically get temporary credentials for calls to any AWS service. Those temporary credentials will have the permissions that you've assigned to the role for your Greengrass Core.

Here are examples for the various SDKs:

QuinnCiccoretti commented 5 years ago

Wow, this is really awesome. You said

As long as you are using the Greengrass Core SDKs instead of the regular AWS SDKs in your Lambda functions you'll automatically get temporary credentials

But it seems the node code imports the regular aws-sdk. The python, java and c versions do much the same. Can I get clarification on what you mean? Also, does the provisioner automatically authorize policies to ECR and other services? I assume thats what these logs indicate:

[INFO] BasicDeploymentHelper: - arn:aws:iam::aws:policy/AWSLambdaReadOnlyAccess [INFO] BasicDeploymentHelper: - arn:aws:iam::aws:policy/AWSIoTFullAccess [INFO] BasicDeploymentHelper: - arn:aws:iam::aws:policy/AWSGreengrassFullAccess [INFO] BasicDeploymentHelper: - arn:aws:iam::aws:policy/CloudWatchLogsFullAccess [INFO] BasicDeploymentHelper: - arn:aws:iam::aws:policy/AmazonSageMakerReadOnly [INFO] BasicDeploymentHelper: - arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess [INFO] BasicDeploymentHelper: - arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly

timmattison commented 5 years ago

Apologies, I misspoke there. You need to use the Greengrass Core SDKs to get access to the local versions of certain features (publishing to Greengrass Core instead of directly to IoT Core, local shadows, local secrets manager, etc). The other features are accessed with the normal SDKs.

Greengrass emulates the Amazon ECS container credential provider. In the environment for a Greengrass Lambda function a few variables are set that tell the SDK, if it is using the default credential provider chain, to try to get credentials from an endpoint that acts the same as the ECS container credentials provider. These are temporary credentials that have the same permissions as the Greengrass core's role.

As long as your SDK is set to use the default credentials provider chain then you should be able to use any service in a Lambda function. But for services that have a local equivalent you need to use the Greengrass Core SDK.

timmattison commented 5 years ago

And yes, the provisioner does add the permissions you see in the logs to the Greengrass core's role. Those permissions are actually set up in the deployments.defaults.conf so you can modify them if you need to.

QuinnCiccoretti commented 5 years ago

Makes sense. I was a able to acess ECR without extra authentication presumably because the ECR client uses the default credential provider chain. And now I understand how it works!