IoT Core Policy - Get/UpdateThingShadow with named shadow leading to 403 errors when using aws.greengrass.ShadowManager.

Question

Hi,

I have a Greengrass core device registered with IoT Core (Thing name: M111234). This device is running a custom Greengrass component that makes use of `aws.greengrass.ShadowManager` to read/update a custom named shadow called 'MyCustomShadow'.

I believe I have setup our IoT Core policy correctly to allow ShadowManager access to sync this named shadow, but when testing, I get 403 status errors in the ShadowManager logs, which I'm interpreting as the device not being authorised to work with the named shadow ('classic' shadow seems unaffected).

I'd be very grateful if someone could provide an example IoT Core policy below that would ensure this device can Get/Update this named shadow? I know SM uses both MQTT and HTTP to work with shadows, and this has led me to become a bit confused about what the minimum policy rules should be to support these actions?

Answer

Hello,

The required policies are listed in the documentation for shadow manager: https://docs.aws.amazon.com/greengrass/v2/developerguide/shadow-manager-component.html#:~:text=(Optional)%20To%20sync%20shadows%20to%20the%20AWS%20IoT%20Device%20Shadow%20service%2C%20the%20Greengrass%20core%20device%27s%20AWS%20IoT%20policy%20must%20allow%20the%20following%20AWS%20IoT%20Core%20shadow%20policy%20actions%3A.

If you want help with a specific policy, please share the policy you're using and the error you see.

Cheers,
Michael

IoT Core Policy - Get/UpdateThingShadow with named shadow leading to 403 errors when using aws.greengrass.ShadowManager.

Relevanter Inhalt