AWS Security ChangesHomeSearch

AWS greengrass documentation change

Service: greengrass · 2025-12-25 · Documentation low

File: greengrass/v2/developerguide/token-exchange-service-component.md

Summary

Clarified token exchange service implementation and added credential precedence note

Security assessment

Added security documentation about credential chain precedence (AWS_CONTAINER_CREDENTIALS_RELATIVE_URI vs FULL_URI) which impacts secure credential usage in ECS environments. No vulnerability addressed.

Diff

diff --git a/greengrass/v2/developerguide/token-exchange-service-component.md b/greengrass/v2/developerguide/token-exchange-service-component.md
index e5f25ef5f..0058adcf6 100644
--- a//greengrass/v2/developerguide/token-exchange-service-component.md
+++ b//greengrass/v2/developerguide/token-exchange-service-component.md
@@ -11 +11 @@ The token exchange service component (`aws.greengrass.TokenExchangeService`) pro
-The token exchange service runs an Amazon Elastic Container Service (Amazon ECS) container instance as a local server. This local server connects to the AWS IoT credentials provider using the AWS IoT role alias that you configure in the [Greengrass core nucleus component](./greengrass-nucleus-component.html). The component provides two environment variables, `AWS_CONTAINER_CREDENTIALS_FULL_URI` and `AWS_CONTAINER_AUTHORIZATION_TOKEN`. `AWS_CONTAINER_CREDENTIALS_FULL_URI` defines the URI to this local server. When a component creates an AWS SDK client, the client recognizes this URI environment variable and uses the token in the `AWS_CONTAINER_AUTHORIZATION_TOKEN` to connect to the token exchange service and retrieve AWS credentials. This allows Greengrass core devices to call AWS service operations. For more information about how to use this component in custom components, see [Interact with AWS services](./interact-with-aws-services.html).
+The token exchange service runs as a local server. This local server connects to the AWS IoT credentials provider using the AWS IoT role alias that you configure in the [Greengrass core nucleus component](./greengrass-nucleus-component.html). The component provides two environment variables, `AWS_CONTAINER_CREDENTIALS_FULL_URI` and `AWS_CONTAINER_AUTHORIZATION_TOKEN`. `AWS_CONTAINER_CREDENTIALS_FULL_URI` defines the URI to this local server. When a component creates an AWS SDK client, the client recognizes this URI environment variable and uses the token in the `AWS_CONTAINER_AUTHORIZATION_TOKEN` to connect to the token exchange service and retrieve AWS credentials. This allows Greengrass core devices to call AWS service operations. For more information about how to use this component in custom components, see [Interact with AWS services](./interact-with-aws-services.html).
@@ -16,0 +17,4 @@ Support to acquire AWS credentials in this way was added to the AWS SDKs on July
+###### Note
+
+Components using the AWS Default Credential Chain may discover and use other sources of credentials, if they exist. Within the Amazon Amazon Elastic Container Service (Amazon ECS) container credentials `AWS_CONTAINER_CREDENTIALS_RELATIVE_URI` will take precedence over `AWS_CONTAINER_CREDENTIALS_FULL_URI`, meaning that token exchange service credentials may not work within Amazon Elastic Container Service (Amazon ECS). For more, see [standardized credential providers](https://docs.aws.amazon.com/sdkref/latest/guide/standardized-credentials.html)
+