I have the following Greengrass V2 custom recipe:
---
RecipeFormatVersion: "2020-01-25"
ComponentName: com.savic.Telemetry
ComponentVersion: 1.0.12
ComponentDescription: Vehicle telemetry consisting of CAN and additional messages
ComponentPublisher: ##############
ComponentConfiguration:
DefaultConfiguration:
Environment: nonprod
accessControl:
aws.greengrass.ipc.mqttproxy:
com.savic.Telemetry:pubsub:2:
policyDescription: Allows access to publish to telemetry topic
operations:
- aws.greengrass#PublishToIoTCore
resources:
- savicmc/{configuration:/Environment}/telemetry/events
Manifests:
- Platform:
os: linux
Lifecycle:
Setenv:
SAVICMC_ENV: "{configuration:/Environment}"
SAVIC_SENDLOG_PATH: "/var/log/sendLog.txt"
SAVIC_SAMPLE_RATE: 10
SAVIC_TELEMETRY_TOPIC: "savicmc/{configuration:/Environment}/telemetry/events"
Install:
RequiresPrivilege: true
script: python3 -m pip install --user awsiotsdk
Run:
RequiresPrivilege: true
script: python3 -u {artifacts:path}/telemetry.py
Artifacts:
- Uri: s3://greengrass-components-#############-############/artifacts/com.savic.Telemetry/1.0.12/telemetry.py
Permission:
Execute: OWNER
NOTE: I also tried a variation of the accessControl:
aws.greengrass.ipc.mqttproxy:
com.savic.Telemetry:mqttproxy:2:
------ AND --------
aws.greengrass.ipc.mqttproxy:
com.savic.Telemetry:pubsub:2:
(note: pubsub vs. mqttproxy)
However, in my greengrass.log, I am continuously getting the following:
2022-01-24T06:29:45.178Z [INFO] (Thread-8) software.amazon.awssdk.eventstreamrpc.RpcServer: New connection code [AWS_ERROR_SUCCESS] for [Id 1141, Class ServerConnection, Refs 1](2022-01-24T06:29:45.178120Z) - <null>. {}
2022-01-24T06:29:45.181Z [INFO] (Thread-8) software.amazon.awssdk.eventstreamrpc.ServiceOperationMappingContinuationHandler: aws.greengrass#GreengrassCoreIPC authenticated identity: com.savic.Telemetry. {}
2022-01-24T06:29:45.184Z [INFO] (Thread-8) software.amazon.awssdk.eventstreamrpc.ServiceOperationMappingContinuationHandler: Connection accepted for com.savic.Telemetry. {}
2022-01-24T06:29:45.185Z [INFO] (Thread-8) software.amazon.awssdk.eventstreamrpc.ServiceOperationMappingContinuationHandler: Sending connect response for com.savic.Telemetry. {}
2022-01-24T06:29:45.191Z [INFO] (Thread-8) com.aws.greengrass.builtin.services.mqttproxy.MqttProxyIPCAgent: Not Authorized. {error=Principal com.savic.Telemetry is not authorized to perform aws.greengrass.ipc.mqttproxy:aws.greengrass#PublishToIoTCore on resource savicmc/nonprod/telemetry/events}
Note the:
com.aws.greengrass.builtin.services.mqttproxy.MqttProxyIPCAgent: Not Authorized. {error=Principal com.savic.Telemetry is not authorized to perform aws.greengrass.ipc.mqttproxy:aws.greengrass#PublishToIoTCore on resource savicmc/nonprod/telemetry/events}
My Thing device certificate also has a policy that allows iot:* and greengrass:* so from Policy/IAM perspective, I am allowed to publish.
Any ideas why I am getting the Not Authorized on the device?
Recipes variables are supported in only the lifecycle section of the recipe. As a result, the {configuration:/Environment} string in accessControl doesn't resolve to the value that you expect.
savicmc/{configuration:/Environment}/telemetry/events
You can change the default accessControl to use the value of Environment by default, so the component works as expected when you use the default values.
ComponentConfiguration:
DefaultConfiguration:
Environment: nonprod
accessControl:
aws.greengrass.ipc.mqttproxy:
com.savic.Telemetry:pubsub:2:
policyDescription: Allows access to publish to telemetry topic
operations:
- aws.greengrass#PublishToIoTCore
resources:
- savicmc/nonprod/telemetry/events
When you configure and deploy the component with a different value for Environment, you can also update the topic in accessControl. For example, you can specify the following configuration merge update to change Environment and the resource topic to prod.
{
"Environment": "prod"
"accessControl": {
"aws.greengrass.ipc.mqttproxy": {
"com.savic.Telemetry:pubsub:2": {
"resources": {
"savicmc/prod/telemetry/events
}
}
}
}
}