We are attempting to subscribe to a wildcard topic: test/things/+/topic
Our accessControl has the following poicy:
"accessControl": {
"aws.greengrass.ipc.pubsub": {
"com.component.test:pubsub:1": {
"policyDescription": "test policy",
"operations": [
"aws.greengrass#SubscribeToTopic"
],
"resources": [
"test/things/+/topic"
]
}
}
}
But we're getting the following error saying the component is not authorized to subscribe to that topic:
2023-10-27T21:54:49.498Z [INFO] (Copier) com.component.test: stdout. {'time':'2023-10-27 14:54:49,498', 'name': 'awsiot.eventstreamrpc', 'level': '20', 'msg': '<awsiot.greengrasscoreipc.client.SubscribeToTopicOperation object at 0x0000021FE84FDEA0> received #1 APPLICATION_ERROR [Header(':content-type', 'application/json', <HeaderType.STRING: 7>), Header('service-model-type', 'aws.greengrass#UnauthorizedError', <HeaderType.STRING: 7>), Header(':message-type', 1, <HeaderType.INT32: 4>), Header(':message-flags', 2, <HeaderType.INT32: 4>), Header(':stream-id', 1, <HeaderType.INT32: 4>)] b'{"message":"Principal com.component.test is not authorized to perform aws.greengrass.ipc.pubsub:aws.greengrass#SubscribeToTopic on resource test/things/+/topic","_service":"aws.greengrass#GreengrassCoreIPC","_message":"*Principal com.component.test is not authorized to perform aws.greengrass.ipc.pubsub:aws.greengrass#SubscribeToTopic on resource test/things/+/topic*","_errorCode":"UnauthorizedError"}''}. {scriptName=services.com.component.test.lifecycle.Run.Script, serviceName=com.component.test, currentState=RUNNING}
This code works when we don't use wildcards.
Using Nucleus 2.11.2 and awsiotsdk==1.11.9, which supports Wildcards per https://docs.aws.amazon.com/greengrass/v2/developerguide/ipc-publish-subscribe.html
AWS 공식업데이트됨 2년 전
I excluded the top level part of the object, let me update. It includes what you mentioned above. The policy name is unique. Again, everything works when we don't use wildcards.
Using the greengrass local CLI or local debug console, please look at the active configuration for this component and post it.
I was just able to verify myself using Nucleus 2.11.3 (which has no changes relevant to this compared to 2.11.2). I am able to subscribe to
test/things/+/topicwhen authorized only for subscribe to topic withtest/things/+/topicas the resource.Yep, the active configuration was not updated correctly. IoT Core showed the correct default settings, but when we looked at the local config via the CLI is was showing the old version. This appears to be a problem in our deployment pipeline.
Thank you for your help! Marking as resolved.