Configure data source authentication
If your OPC UA server requires authentication credentials to connect, you can use AWS Secrets Manager to create and deploy a secret to your SiteWise Edge gateway. AWS Secrets Manager encrypts secrets on the device to keep your user name and password secure until you need to use them. For more information about the AWS IoT Greengrass secret manager component, see Secret manager in the AWS IoT Greengrass Version 2 Developer Guide.
For information about managing access to Secrets Manager secrets, see:
Step 1: Create source authentication secrets
You can use AWS Secrets Manager to create an authentication secret for your data source. In
the secret, define username
and
password
key-value pairs that contain authentication
details for your data source.
To create a secret (console)
-
Navigate to the AWS Secrets Manager console
. -
Choose Store a new secret.
-
Under Secret type, choose Other type of secrets.
-
Under Key/value pairs, do the following:
In the first input box, enter
username
and in the second input box enter the username.Choose Add row.
In the first input box, enter
password
and in the second input box enter the password.
-
For Encryption key, select aws/secretsmanager, and then choose Next.
-
On the Store a new secret page, enter a Secret name.
-
(Optional) Enter a Description that helps you identify this secret, and then choose Next.
-
(Optional) On the Store a new secret page, turn on Automatic rotation. For more information, see Rotate secrets in the AWS Secrets Manager User Guide.
-
Specify a rotation schedule.
-
Choose a Lambda function that can rotate this secret, and then choose Next.
-
Review your secret configurations, and then choose Store.
To authorize your SiteWise Edge gateway to interact with AWS Secrets Manager, the IAM role for
your SiteWise Edge gateway must allow the secretsmanager:GetSecretValue
action. You can use the Greengrass core device to search for the IAM policy.
For more information about updating an IAM policy, see Editing IAM policies in the AWS Identity and Access Management User
Guide.
Example policy
Replace secret-arn
with the Amazon Resource Name
(ARN) of the secret that you created in the previous step. For more information
about how to get the ARN of a secret, see Find secrets in AWS Secrets Manager in the AWS Secrets Manager User
Guide.
{ "Version":"2012-10-17", "Statement":[ { "Action":[ "secretsmanager:GetSecretValue" ], "Effect":"Allow", "Resource":[ "
secret-arn
" ] } ] }
Step 2: Deploy secrets to your SiteWise Edge gateway device
You can use the AWS IoT SiteWise console to deploy secrets to your SiteWise Edge gateway.
To deploy a secret (console)
-
Navigate to the AWS IoT SiteWise console
. -
In the navigation pane, choose Gateways.
-
From the Gateways list, choose the target SiteWise Edge gateway.
-
In the Gateway configuration section, choose the Greengrass core device link to open the AWS IoT Greengrass core associated with the SiteWise Edge gateway.
-
In the navigation pane, choose Deployments.
-
Choose the target deployment, and then choose Revise.
-
On the Specify target page, choose Next.
-
On the Select components page, in the Public components section, turn off Show only selected components.
-
Search for and choose the aws.greengrass.SecretManager component, and then choose Next.
-
From the Selected components list, choose the aws.greengrass.SecretManager component, and then choose Configure component.
-
In the Configuration to merge field, add the following JSON object.
Note
Replace
secret-arn
with the ARN of the secret that you created in the previous step. For more information about how to get the ARN of a secret, see Find secrets in AWS Secrets Manager in the AWS Secrets Manager User Guide.{ "cloudSecrets":[ { "arn":"
secret-arn
" } ] } -
Choose Confirm.
-
Choose Next.
-
On the Configure advanced settings page, choose Next.
-
Review your deployment configurations, and then choose Deploy.
Step 3: Add authentication configurations
You can use the AWS IoT SiteWise console to add authentication configurations to your SiteWise Edge gateway.
To add authentication configurations (console)
-
Navigate to the AWS IoT SiteWise console
. -
From the Gateways list, choose the target SiteWise Edge gateway.
-
From the Data sources list, choose the target data source, and then choose Edit.
-
On the Add a data source page, choose Advanced configuration.
-
For Authentication configuration, choose the secret that you deployed in the previous step.
-
Choose Save.