Question 19203 in Amazon Web Sevices Question posted in
The official Amazon Web Services documentation can be found here.

AWS Greengrass V2 Fleet Provisioning thing policy problem

i currently want to setup a GreengrassV2 fleet provisioning (on an EC2 Instance where needed ports are open).
I’ve build the certificate and the thing/core device gets provisioned.

I want to make this Production Ready so i’ve used the minimal greengrass core iot policy:
https://docs.aws.amazon.com/greengrass/v2/developerguide/device-auth.html#greengrass-core-minimal-iot-policy

here is my policy:

{
  "Statement": [
    {
      "Action": [
        "iot:Publish",
        "iot:Subscribe",
        "iot:Receive",
        "iot:Connect"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:iot:eu-central-1:123123123123:topic/data/${iot:Connection.Thing.ThingName}/*",
        "arn:aws:iot:eu-central-1:123123123123:topic/cmd/${iot:Connection.Thing.ThingName}/*"
      ]
    },
    {
      "Action": [
        "iot:Connect"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:iot:eu-central-1:123123123123:client/${iot:Connection.Thing.ThingName}*"
    },
    {
      "Action": [
        "iot:Subscribe"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:iot:eu-central-1:123123123123:topicfilter/$aws/things/${iot:Connection.Thing.ThingName}*/jobs/*",
        "arn:aws:iot:eu-central-1:123123123123:topicfilter/$aws/things/${iot:Connection.Thing.ThingName}*/shadow/*",
      ]
    },
    {
      "Action": [
        "iot:Receive",
        "iot:Publish"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:iot:eu-central-1:123123123123:topic/$aws/things/${iot:Connection.Thing.ThingName}*/greengrass/health/json",
        "arn:aws:iot:eu-central-1:123123123123:topic/$aws/things/${iot:Connection.Thing.ThingName}*/greengrassv2/health/json",
        "arn:aws:iot:eu-central-1:123123123123:topic/$aws/things/${iot:Connection.Thing.ThingName}*/jobs/*",
        "arn:aws:iot:eu-central-1:123123123123:topic/$aws/things/${iot:Connection.Thing.ThingName}*/shadow/*"
      ]
    },
    {
      "Action": [
        "greengrass:ResolveComponentCandidates",
        "greengrass:Get*",
        "greengrass:List*",
        "greengrass:Describe*",
        "greengrass:Resolve*",
        "greengrass:PutCertificateAuthorities"
      ],
      "Effect": "Allow",
      "Resource": "*"
    },
    {
      "Action": "iot:AssumeRoleWithCertificate",
      "Effect": "Allow",
      "Resource": "arn:aws:iot:eu-central-1:123123123123:rolealias/TerraformGreengrassCoreTokenExchangeRoleAlias"
    }
  ],
  "Version": "2012-10-17"
}

The issue is i can not get the deployment for the thing group. The greengrass Core device always disconnects
Log Message:

[...]
2023-01-05T08:58:18.602Z [DEBUG] (pool-2-thread-37) com.aws.greengrass.mqttclient.AwsIotMqttClient: Subscribing to topic. {clientId=TestCustomerCoreDevice, qos=AT_LEAST_ONCE, topic=$aws/things/TestCustomerCoreDevice/jobs/12312397-1d2d-1d2d-1d2d-01de629ddcf2/namespace-aws-gg-deployment/update/rejected}
com.aws.greengrass.mqtt.bridge.clients.MQTTClient: Unable to connect. Will be retried after 120 seconds
[...]

if i now allow subscribe to the resource:

"arn:aws:iot:eu-central-1:123123123123:*"

it works – however this is not what i want for production.
i think it hast to do with the topicfilter/$aws resources but i can not figure out what the issue is.

After this i can also subscribe to the topic data/TestCustomerCoreDevice/test

Does somebody know how to resolve this issue?

thanks in advance!

Tags:

2

Answers


  1. Chosen as BEST ANSWER
    0

    as Kris wrote

    I have the same problem and found out that policy variables - like ${iot:Connection.Thing.ThingName} do not work with Greengrass Core devices: docs.aws.amazon.com/greengrass/v2/developerguide/… This would mean Greengrass fleet provisioning and the policy being used can only have * wildcards and cannot be scoped down with variables giving every device access to all resources.


  2. 0

    I cleaned up a bit your policy since it was kind of having duplicate information:

    {
"Statement": [
  {
    "Action": [
      "iot:Connect"
    ],
    "Effect": "Allow",
    "Resource": "arn:aws:iot:eu-central-1:123123123123:client/${iot:Connection.Thing.ThingName}"
  },
  {
    "Action": [
      "iot:Subscribe"
    ],
    "Effect": "Allow",
    "Resource": [
      "arn:aws:iot:eu-central-1:123123123123:topicfilter/$aws/things/${iot:Connection.Thing.ThingName}/jobs/*",
      "arn:aws:iot:eu-central-1:123123123123:topicfilter/$aws/things/${iot:Connection.Thing.ThingName}/shadow/*"
    ]
  },
  {
    "Action": [
      "iot:Receive",
      "iot:Publish"
    ],
    "Effect": "Allow",
    "Resource": [
      "arn:aws:iot:eu-central-1:123123123123:topic/$aws/things/${iot:Connection.Thing.ThingName}/greengrass/health/json",
      "arn:aws:iot:eu-central-1:123123123123:topic/$aws/things/${iot:Connection.Thing.ThingName}/greengrassv2/health/json",
      "arn:aws:iot:eu-central-1:123123123123:topic/$aws/things/${iot:Connection.Thing.ThingName}/jobs/*",
      "arn:aws:iot:eu-central-1:123123123123:topic/$aws/things/${iot:Connection.Thing.ThingName}/shadow/*",
      "arn:aws:iot:eu-central-1:123123123123:topic/data/${iot:Connection.Thing.ThingName}/*",
      "arn:aws:iot:eu-central-1:123123123123:topic/cmd/${iot:Connection.Thing.ThingName}/*"
    ]
  },
  {
    "Action": [
      "greengrass:ResolveComponentCandidates",
      "greengrass:Get*",
      "greengrass:List*",
      "greengrass:Describe*",
      "greengrass:Resolve*",
      "greengrass:PutCertificateAuthorities"
    ],
    "Effect": "Allow",
    "Resource": "*"
  },
  {
    "Action": "iot:AssumeRoleWithCertificate",
    "Effect": "Allow",
    "Resource": "arn:aws:iot:eu-central-1:123123123123:rolealias/TerraformGreengrassCoreTokenExchangeRoleAlias"
  }
],
"Version": "2012-10-17"

    }

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search