skip to Main Content

i currently want to setup a GreengrassV2 fleet provisioning (on an EC2 Instance where needed ports are open).
I’ve build the certificate and the thing/core device gets provisioned.

I want to make this Production Ready so i’ve used the minimal greengrass core iot policy:
https://docs.aws.amazon.com/greengrass/v2/developerguide/device-auth.html#greengrass-core-minimal-iot-policy

here is my policy:

{
  "Statement": [
    {
      "Action": [
        "iot:Publish",
        "iot:Subscribe",
        "iot:Receive",
        "iot:Connect"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:iot:eu-central-1:123123123123:topic/data/${iot:Connection.Thing.ThingName}/*",
        "arn:aws:iot:eu-central-1:123123123123:topic/cmd/${iot:Connection.Thing.ThingName}/*"
      ]
    },
    {
      "Action": [
        "iot:Connect"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:iot:eu-central-1:123123123123:client/${iot:Connection.Thing.ThingName}*"
    },
    {
      "Action": [
        "iot:Subscribe"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:iot:eu-central-1:123123123123:topicfilter/$aws/things/${iot:Connection.Thing.ThingName}*/jobs/*",
        "arn:aws:iot:eu-central-1:123123123123:topicfilter/$aws/things/${iot:Connection.Thing.ThingName}*/shadow/*",
      ]
    },
    {
      "Action": [
        "iot:Receive",
        "iot:Publish"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:iot:eu-central-1:123123123123:topic/$aws/things/${iot:Connection.Thing.ThingName}*/greengrass/health/json",
        "arn:aws:iot:eu-central-1:123123123123:topic/$aws/things/${iot:Connection.Thing.ThingName}*/greengrassv2/health/json",
        "arn:aws:iot:eu-central-1:123123123123:topic/$aws/things/${iot:Connection.Thing.ThingName}*/jobs/*",
        "arn:aws:iot:eu-central-1:123123123123:topic/$aws/things/${iot:Connection.Thing.ThingName}*/shadow/*"
      ]
    },
    {
      "Action": [
        "greengrass:ResolveComponentCandidates",
        "greengrass:Get*",
        "greengrass:List*",
        "greengrass:Describe*",
        "greengrass:Resolve*",
        "greengrass:PutCertificateAuthorities"
      ],
      "Effect": "Allow",
      "Resource": "*"
    },
    {
      "Action": "iot:AssumeRoleWithCertificate",
      "Effect": "Allow",
      "Resource": "arn:aws:iot:eu-central-1:123123123123:rolealias/TerraformGreengrassCoreTokenExchangeRoleAlias"
    }
  ],
  "Version": "2012-10-17"
}

The issue is i can not get the deployment for the thing group. The greengrass Core device always disconnects
Log Message:

[...]
2023-01-05T08:58:18.602Z [DEBUG] (pool-2-thread-37) com.aws.greengrass.mqttclient.AwsIotMqttClient: Subscribing to topic. {clientId=TestCustomerCoreDevice, qos=AT_LEAST_ONCE, topic=$aws/things/TestCustomerCoreDevice/jobs/12312397-1d2d-1d2d-1d2d-01de629ddcf2/namespace-aws-gg-deployment/update/rejected}
com.aws.greengrass.mqtt.bridge.clients.MQTTClient: Unable to connect. Will be retried after 120 seconds
[...]

if i now allow subscribe to the resource:

"arn:aws:iot:eu-central-1:123123123123:*"

it works – however this is not what i want for production.
i think it hast to do with the topicfilter/$aws resources but i can not figure out what the issue is.

After this i can also subscribe to the topic data/TestCustomerCoreDevice/test

Does somebody know how to resolve this issue?

thanks in advance!

2

Answers


  1. Chosen as BEST ANSWER

    as Kris wrote

    I have the same problem and found out that policy variables - like ${iot:Connection.Thing.ThingName} do not work with Greengrass Core devices: docs.aws.amazon.com/greengrass/v2/developerguide/… This would mean Greengrass fleet provisioning and the policy being used can only have * wildcards and cannot be scoped down with variables giving every device access to all resources.


  2. I cleaned up a bit your policy since it was kind of having duplicate information:

    {
    "Statement": [
      {
        "Action": [
          "iot:Connect"
        ],
        "Effect": "Allow",
        "Resource": "arn:aws:iot:eu-central-1:123123123123:client/${iot:Connection.Thing.ThingName}"
      },
      {
        "Action": [
          "iot:Subscribe"
        ],
        "Effect": "Allow",
        "Resource": [
          "arn:aws:iot:eu-central-1:123123123123:topicfilter/$aws/things/${iot:Connection.Thing.ThingName}/jobs/*",
          "arn:aws:iot:eu-central-1:123123123123:topicfilter/$aws/things/${iot:Connection.Thing.ThingName}/shadow/*"
        ]
      },
      {
        "Action": [
          "iot:Receive",
          "iot:Publish"
        ],
        "Effect": "Allow",
        "Resource": [
          "arn:aws:iot:eu-central-1:123123123123:topic/$aws/things/${iot:Connection.Thing.ThingName}/greengrass/health/json",
          "arn:aws:iot:eu-central-1:123123123123:topic/$aws/things/${iot:Connection.Thing.ThingName}/greengrassv2/health/json",
          "arn:aws:iot:eu-central-1:123123123123:topic/$aws/things/${iot:Connection.Thing.ThingName}/jobs/*",
          "arn:aws:iot:eu-central-1:123123123123:topic/$aws/things/${iot:Connection.Thing.ThingName}/shadow/*",
          "arn:aws:iot:eu-central-1:123123123123:topic/data/${iot:Connection.Thing.ThingName}/*",
          "arn:aws:iot:eu-central-1:123123123123:topic/cmd/${iot:Connection.Thing.ThingName}/*"
        ]
      },
      {
        "Action": [
          "greengrass:ResolveComponentCandidates",
          "greengrass:Get*",
          "greengrass:List*",
          "greengrass:Describe*",
          "greengrass:Resolve*",
          "greengrass:PutCertificateAuthorities"
        ],
        "Effect": "Allow",
        "Resource": "*"
      },
      {
        "Action": "iot:AssumeRoleWithCertificate",
        "Effect": "Allow",
        "Resource": "arn:aws:iot:eu-central-1:123123123123:rolealias/TerraformGreengrassCoreTokenExchangeRoleAlias"
      }
    ],
    "Version": "2012-10-17"
    

    }

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search