Installing NodeRed in a AWS IoT Greengrass device — Part 1

Node-Red. Who hasn’t heard of it? I started my love affair with Node-Red in 2015 and hasn’t looked anywhere else since. For anyone who is not familiar, Node Red is a very popular flow based development tool developed originally by IBM for wiring together hardware devices, APIs and online services as part of the Internet of Things. It provides a web browser-based flow editor, which can be used to wire together nodes and even write your own function code. Node-Red has seen some key updates over the last few years and is currently in active development which makes it very attractive to build logic flows visually with a low-code/no-code approach. Yeah, I copy pasted some lines from their Wiki page!

But what is AWS IoT Greengrass? Simply put, it is an opensource runtime developed by AWS for edge IoT devices running Windows or Linux. Marry Node-Red and Greengrass together, and now you have an edge IoT device running a flow programming tool which can be managed from the cloud. The icing on the cake is, if you are planning to connect your edge IoT device to AWS services, now you don’t have to manage those pesky authentication keys/tokens etc or break your head reading the AWS API docs. Simply install the AWS javascript SDK and you can communicate with AWS services right from your Node-Red instance with a few lines of code. Interested? Read on!

What goes on under the hood?

TL;DR

The aws.greengrass.labs.nodered component installs Node-Red using npm and starts the Node-Red process. The password for the Node-Red admin UI is fetched from AWS Secrets Manager, the process of which is explained below. If you install the AWS SDK using npm, you can call the SDK from a function node in Node-Red and talk to AWS services.

The deep dive

What is a component?

A key feature of Greengrass is the ability to deploy software modules, a.k.a components, to the devices running Greengrass. When you install the Greengrass runtime, the following components will be already installed:

• aws.greengrass.cli
• aws.greengrass.Nucleus

There is a rich variety of components provided by AWS and developed by the community you can pick and choose from. Got something custom? No problem, you can develop your own components as well. In a nutshell a component consists of:

• recipe — this is a JSON or a YAML file which has instructions on how to install & run your piece of software among other things
• artifact — a fancy name for the executable of your piece of software. It can be a .exe, python script, nodejs script etc. The recipe will have the information on how to run this executable in the form of a shell command.

It is important to note that having an artifact for a component is NOT mandatory. The recipe can have installation instructions where the executable is downloaded from a repository when the component is installed.

What components do I need?

The above diagram shows the components that are used in getting Node-Red to run in a Greengrass device.

The arrows explain the process which goes on behind the scenes to fetch the admin UI password from the AWS Secrets Manager. You might think that life would be a lot simpler if we simply hardcoded admin & password as the credentials. Yes, but so would it be for a potential hacker who might as well be 5 years old.

1. On startup, the aws.greengrass.labs.nodered.auth component invokes the aws.greengrass.labs.SecretsManagerClient module and requests to fetch the password
2. aws.greengrass.labs.SecretsManagerClient does an IPC call to aws.greengrass.Nucleus to request the aws.greengrass.labs.SecretsManager for the password
3. aws.greengrass.Nucleus relays the request to aws.greengrass.labs.SecretsManager
4. aws.greengrass.labs.SecretsManager requests the AWS Secrets Manager for the password
5. AWS Secrets Manager returns the password
6. aws.greengrass.labs.SecretsManager responsds to aws.greengrass.Nucleus
7. aws.greengrass.Nucleus relays the response to aws.greengrass.labs.SecretsManagerClient
8. aws.greengrass.labs.SecretsManagerClient returns the password to aws.greengrass.labs.nodered.auth
9. aws.greengrass.labs.nodered.auth appends the password credential section of the settings.js file in Node-Red with a hashed version of the returned password. This is a Node-Red standard process which is explained here https://nodered.org/docs/user-guide/runtime/securing-node-red
10. aws.greengrass.labs.nodered starts the Node-Red process (on the very first time it will install Node-Red using npm) with the updated settings.js file. It will also set certain environment variables whech starting the process as explained here https://docs.aws.amazon.com/greengrass/v2/developerguide/component-environment-variables.html. These will be extremely useful when we use the SDK to call AWS services from within Node-Red

In Part 2, I will walk you through on how to get this setup up and running. Till then stay tuned!