Is there a way to authorize GGv2 core devices to interact with AWS services at the Thing Group level ?

I understand how attaching policies to the GreengrassV2TokenExchangeRole enables code running on your GG core devices to access AWS services by using the device cert to obtain temporary credentials. The token exchange role is associated with the device in that case. Is there a way to do something similar at the group level so that putting a device in a thing group would give it permission to access particular AWS services and resources ?

Sujets

Internet des objets (IoT)

Balises

AWS IoT Greengrass AWS IoT Core

Langue

English

williamrmay

demandé il y a 2 ans318 vues

1 réponse

Le plus récent
Le plus de votes
La plupart des commentaires

Réponse acceptée

Hello,

I'm sorry to say that no, there is no way to assign a role for Greengrass to use at a Thing Group level. The individual things will all need their own permission to assume the role. The permission to assume the role could be stored in one IoT Policy which is then attached to each Thing's certificate; that way at least you don't need to duplicate policies.

EXPERT

MichaelDombrowski-AWS

répondu il y a 2 ans

williamrmay
il y a 2 ans
Thank you. I guess one could emulate this by having one token exchange role per group and specifying the "group role" during the device install.
MichaelDombrowski-AWS EXPERT
il y a 2 ans
Yes, if you have thing groups with unique access requirements, then you can have different roles for each. Note that you are limited to 100 IoT Role Aliases per region, so you can only do that with 100 groups.

Contenus pertinents

[ACTION REQUIRED] Update your TLS connections to 1.2 : quelles applications sont concernées ?
rePost-User-7550145
demandé il y a un an
account is currently blocked and not recognized as a valid account
Yves Boah
demandé il y a un an
elastic disaster recovery - Authenticate with service
Réponse acceptée
rePost-User-5960561
demandé il y a un an
My account is not recognized
juan ortega
demandé il y a un an
Comment corriger l’erreur « No "Access-Control-Allow-Origin" header is present on the requested resource » provenant de CloudFront ?
AWS OFFICIELA mis à jour il y a 2 ans
Comment résoudre l'erreur « CloudFront wasn't able to connect to the origin » (« CloudFront n'a pas pu se connecter à l'origine ») ?
AWS OFFICIELA mis à jour il y a 2 ans
Pourquoi mon pipeline de génération d'image échoue-t-il avec l'erreur « Step timed out while step is verifying the Systems Manager Agent availability on the target instance(s) » dans Image Builder ?
AWS OFFICIELA mis à jour il y a 2 ans
Comment résoudre l'erreur AWS Glue « The specified subnet does not have enough free addresses to satisfy the request » (Le sous-réseau spécifié ne dispose pas de suffisamment d'adresses libres pour répondre à la requête) ?
AWS OFFICIELA mis à jour il y a 2 ans