According to this documentation, we can use variables, but it seems like only "within lifecycle definitions in component recipes". Is there any undocumented way of using variables in the accessControl
statements? Specifically I'm trying to add the following accessControl
statements:
DefaultConfiguration:
accessControl:
aws.greengrass.ipc.mqttproxy:
"{COMPONENT_NAME}:mqttproxy:1":
policyDescription: Allows subscribing to command messages from aws-iot-core
operations:
- "aws.greengrass#SubscribeToIoTCore"
resources:
- "iot/cache/#"
- "iot/gateways/{iot:thingName}/command/+"
- "iot/gateways/{iot:thingName}/status/+"
"{COMPONENT_NAME}:mqttproxy:2":
policyDescription: Allows publishing update messages to aws-iot-core
operations:
- "aws.greengrass#PublishToIoTCore"
resources:
- "iot/things/+/message"
... but I get awsiot.greengrasscoreipc.model.UnauthorizedError
when subscribing to iot/gateways/my-actual-core-name/command/+
and iot/gateways/my-actual-core-name/status/+
.
I have found through trial and error that the following resource statements allow me to do what I want, but they're somewhat "overly permissive":
resources:
- "iot/cache/#"
- "iot/gateways/+/command/+"
- "iot/gateways/+/status/+"
Then I can actually subscribe to iot/gateways/my-actual-core-name/command/+
and iot/gateways/my-actual-core-name/status/+
. That's a little counter-intuitive to me because they're not explicitly the same topic pattern (I would expect to only be allowed to subscribe to iot/gateways/+/command/+
exactly). It's an okay workaround for now, but I was hoping I could do better and prevent a given gateway from subscribing to iot/gateways/arbitrary-words/command/+