Confused about permissions in IOT Core/PubSub/Shadows, Greengrass, IAM roles, service roles and IPC.

0

I have a few questions here as I am very confused. There seems to be quite a few areas where permissions need to be set up. I have a deployment that uses Auth, Bridge, ShadowManager and a custom component. The custom components can publish but I am having issues reading a shadow. There are also entities like IAM roles and policies in addition to something called a service role and something referred to as IPC or Inter Process Communication.

I have an issue here that I am trying to resolve but find myself confused about what I am setting where when I am setting permissions.

Is there someone who has the time and kindness to write a easy to understand, plain language tutorial or summary of what all these permission configurations are? Hopefully it would be clearer.

1개 답변
1
수락된 답변

There are several different policies and it can be tough to understand what goes where, but understanding the various resource types and their scope can help.

Greengrass components access resources through IPC. IPC resources are local to the Greengrass device. The "principal" accessing those resources is the component itself. You can give components the necessary permissions in the component configuration.

Some IPC resources map to resources which exist in AWS IoT (e.g. Shadows, MQTT topics). The Greengrass core device is the "principal" which accesses those resources. For those, you need to give Greengrass permission in the IoT Policy which is attached to the Greengrass core certificate. You would configure the IoT Policy for anything your component accesses using the IoT Device SDK.

Other times IPC resources map to resources in other parts of AWS (e.g. secrets stored in Secrets Manager). To access those, you would typically need IAM credentials. Greengrass can get IAM credentials using the role alias. You would also configure this policy for anything your component accesses using the regular AWS SDK.

And finally, you can also connect external client devices to Greengrass. You can configure the Client Devices Auth component in order to define the permissions that client devices have when connecting to the local MQTT broker.

You don't need to worry about the service role, for the most part. That gets used by the Greengrass cloud service in a few scenarios when using client devices. You can set it up once (if using client devices) and then forget it exists.

AWS
답변함 2년 전
profile picture
전문가
검토됨 9달 전
  • Thanks @JoeAtAWS. That is very clear.

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠