i currently want to setup a GreengrassV2 fleet provisioning (on an EC2 Instance where needed ports are open). I've build the certificate and the thing/core device gets provisioned.
I want to make this Production Ready so i've used the minimal greengrass core iot policy: https://docs.aws.amazon.com/greengrass/v2/developerguide/device-auth.html#greengrass-core-minimal-iot-policy
here is my policy:
{
"Statement": [
{
"Action": [
"iot:Publish",
"iot:Subscribe",
"iot:Receive",
"iot:Connect"
],
"Effect": "Allow",
"Resource": [
"arn:aws:iot:eu-central-1:123123123123:topic/data/${iot:Connection.Thing.ThingName}/*",
"arn:aws:iot:eu-central-1:123123123123:topic/cmd/${iot:Connection.Thing.ThingName}/*"
]
},
{
"Action": [
"iot:Connect"
],
"Effect": "Allow",
"Resource": "arn:aws:iot:eu-central-1:123123123123:client/${iot:Connection.Thing.ThingName}*"
},
{
"Action": [
"iot:Subscribe"
],
"Effect": "Allow",
"Resource": [
"arn:aws:iot:eu-central-1:123123123123:topicfilter/$aws/things/${iot:Connection.Thing.ThingName}*/jobs/*",
"arn:aws:iot:eu-central-1:123123123123:topicfilter/$aws/things/${iot:Connection.Thing.ThingName}*/shadow/*",
]
},
{
"Action": [
"iot:Receive",
"iot:Publish"
],
"Effect": "Allow",
"Resource": [
"arn:aws:iot:eu-central-1:123123123123:topic/$aws/things/${iot:Connection.Thing.ThingName}*/greengrass/health/json",
"arn:aws:iot:eu-central-1:123123123123:topic/$aws/things/${iot:Connection.Thing.ThingName}*/greengrassv2/health/json",
"arn:aws:iot:eu-central-1:123123123123:topic/$aws/things/${iot:Connection.Thing.ThingName}*/jobs/*",
"arn:aws:iot:eu-central-1:123123123123:topic/$aws/things/${iot:Connection.Thing.ThingName}*/shadow/*"
]
},
{
"Action": [
"greengrass:ResolveComponentCandidates",
"greengrass:Get*",
"greengrass:List*",
"greengrass:Describe*",
"greengrass:Resolve*",
"greengrass:PutCertificateAuthorities"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "iot:AssumeRoleWithCertificate",
"Effect": "Allow",
"Resource": "arn:aws:iot:eu-central-1:123123123123:rolealias/TerraformGreengrassCoreTokenExchangeRoleAlias"
}
],
"Version": "2012-10-17"
}
The issue is i can not get the deployment for the thing group. The greengrass Core device always disconnects Log Message:
[...]
2023-01-05T08:58:18.602Z [DEBUG] (pool-2-thread-37) com.aws.greengrass.mqttclient.AwsIotMqttClient: Subscribing to topic. {clientId=TestCustomerCoreDevice, qos=AT_LEAST_ONCE, topic=$aws/things/TestCustomerCoreDevice/jobs/12312397-1d2d-1d2d-1d2d-01de629ddcf2/namespace-aws-gg-deployment/update/rejected}
com.aws.greengrass.mqtt.bridge.clients.MQTTClient: Unable to connect. Will be retried after 120 seconds
[...]
if i now allow subscribe to the resource:
"arn:aws:iot:eu-central-1:123123123123:*"
it works - however this is not what i want for production. i think it hast to do with the topicfilter/$aws resources but i can not figure out what the issue is.
After this i can also subscribe to the topic data/TestCustomerCoreDevice/test
Does somebody know how to resolve this issue?
thanks in advance!
as Kris wrote
I have the same problem and found out that policy variables - like ${iot:Connection.Thing.ThingName} do not work with Greengrass Core devices: docs.aws.amazon.com/greengrass/v2/developerguide/… This would mean Greengrass fleet provisioning and the policy being used can only have * wildcards and cannot be scoped down with variables giving every device access to all resources.