amazon-web-servicesaws-iotaws-iot-coreaws-iot-greengrass

AWS Greengrass V2 Fleet Provisioning thing policy problem


i currently want to setup a GreengrassV2 fleet provisioning (on an EC2 Instance where needed ports are open). I've build the certificate and the thing/core device gets provisioned.

I want to make this Production Ready so i've used the minimal greengrass core iot policy: https://docs.aws.amazon.com/greengrass/v2/developerguide/device-auth.html#greengrass-core-minimal-iot-policy

here is my policy:

{
  "Statement": [
    {
      "Action": [
        "iot:Publish",
        "iot:Subscribe",
        "iot:Receive",
        "iot:Connect"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:iot:eu-central-1:123123123123:topic/data/${iot:Connection.Thing.ThingName}/*",
        "arn:aws:iot:eu-central-1:123123123123:topic/cmd/${iot:Connection.Thing.ThingName}/*"
      ]
    },
    {
      "Action": [
        "iot:Connect"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:iot:eu-central-1:123123123123:client/${iot:Connection.Thing.ThingName}*"
    },
    {
      "Action": [
        "iot:Subscribe"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:iot:eu-central-1:123123123123:topicfilter/$aws/things/${iot:Connection.Thing.ThingName}*/jobs/*",
        "arn:aws:iot:eu-central-1:123123123123:topicfilter/$aws/things/${iot:Connection.Thing.ThingName}*/shadow/*",
      ]
    },
    {
      "Action": [
        "iot:Receive",
        "iot:Publish"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:iot:eu-central-1:123123123123:topic/$aws/things/${iot:Connection.Thing.ThingName}*/greengrass/health/json",
        "arn:aws:iot:eu-central-1:123123123123:topic/$aws/things/${iot:Connection.Thing.ThingName}*/greengrassv2/health/json",
        "arn:aws:iot:eu-central-1:123123123123:topic/$aws/things/${iot:Connection.Thing.ThingName}*/jobs/*",
        "arn:aws:iot:eu-central-1:123123123123:topic/$aws/things/${iot:Connection.Thing.ThingName}*/shadow/*"
      ]
    },
    {
      "Action": [
        "greengrass:ResolveComponentCandidates",
        "greengrass:Get*",
        "greengrass:List*",
        "greengrass:Describe*",
        "greengrass:Resolve*",
        "greengrass:PutCertificateAuthorities"
      ],
      "Effect": "Allow",
      "Resource": "*"
    },
    {
      "Action": "iot:AssumeRoleWithCertificate",
      "Effect": "Allow",
      "Resource": "arn:aws:iot:eu-central-1:123123123123:rolealias/TerraformGreengrassCoreTokenExchangeRoleAlias"
    }
  ],
  "Version": "2012-10-17"
}

The issue is i can not get the deployment for the thing group. The greengrass Core device always disconnects Log Message:

[...]
2023-01-05T08:58:18.602Z [DEBUG] (pool-2-thread-37) com.aws.greengrass.mqttclient.AwsIotMqttClient: Subscribing to topic. {clientId=TestCustomerCoreDevice, qos=AT_LEAST_ONCE, topic=$aws/things/TestCustomerCoreDevice/jobs/12312397-1d2d-1d2d-1d2d-01de629ddcf2/namespace-aws-gg-deployment/update/rejected}
com.aws.greengrass.mqtt.bridge.clients.MQTTClient: Unable to connect. Will be retried after 120 seconds
[...]

if i now allow subscribe to the resource:

"arn:aws:iot:eu-central-1:123123123123:*"

it works - however this is not what i want for production. i think it hast to do with the topicfilter/$aws resources but i can not figure out what the issue is.

After this i can also subscribe to the topic data/TestCustomerCoreDevice/test

Does somebody know how to resolve this issue?

thanks in advance!


Solution

  • as Kris wrote

    I have the same problem and found out that policy variables - like ${iot:Connection.Thing.ThingName} do not work with Greengrass Core devices: docs.aws.amazon.com/greengrass/v2/developerguide/… This would mean Greengrass fleet provisioning and the policy being used can only have * wildcards and cannot be scoped down with variables giving every device access to all resources.