By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How to automate the creation of Greengrass Core Device Shadow with fleet provisioning?

0

Hi all, So I have managed to create a fleet provisioning template which I use to register Greengrass Core V2 devices and it works fine with the only exception that it does not create the greengrass core device if a shadow does not exist before that I get this error in the cloud watch logs:

"details": "No shadow exists with name: 'MyGreengrassCore2'

Then I manually add the device shadow and then everything works fine but creating the shadow manually is not desired. I checked different places in the aws documentation but I did not find how to add device shadow creation as part of the fleet provisioning template. Is that possible? If yes, how to do that?

Thanks in advance.

EDIT: Added some more context - cloud watch logs, IoT Policy

Cloud Watch Logs:

{
    "timestamp": "2021-12-18 19:56:06.050",
    "logLevel": "ERROR",
    "traceId": "a4003747-a168-1956-ab44",
    "accountId": "account_id",
    "status": "Failure",
    "eventType": "GetThingShadow",
    "protocol": "MQTT",
    "deviceShadowName": "Prefix_MyGreengrassCore2",
    "topicName": "$aws/things/Prefix_MyGreengrassCore2/shadow/name/AWSManagedGreengrassV2Deployment/get",
    "details": "No shadow exists with name: 'Prefix_MyGreengrassCore2~AWSManagedGreengrassV2Deployment'"
}

IoT Policy

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "iot:Publish",
        "iot:Subscribe",
        "iot:Receive",
        "iot:Connect",
        "greengrass:*"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": "iot:AssumeRoleWithCertificate",
      "Resource": "arn:aws:iot:region:accoun_id:rolealias/GGCV2TokenExchangeRoleAlias"
    }
  ]
}
Topics
Internet of Things (IoT)
Tags
AWS IoT Greengrass
Language
English
AWS-User-2130413
asked 2 years ago509 views
3 Answers
1

Hello again,

I looked into the issue and it seems that device shadow is not the root cause.

FleetStatusService (FSS) is responsible for creating a new core device in cloud. If fleet provisioning is not finished when FSS starts, FSS goes offline during fleet provisioning and is not notified to restart, which fails to create a greengrass core in cloud and leads to the shadow error message you see in cloudwatch.

It is a recently discovered bug of FSS and we are working on a fix. In the meantime, you shouldn't have needed to create the shadow topic manually. Restarting greengrass nucleus alone after provisioning will restart of FSS and create a greengrass core in cloud, which is run the greengrass core software installation again as you mentioned.

Could you confirm that restart nucleus alone can fix your issue? If yes, then it's this known issue we are fixing right now.

Let me know if you have any other questions.

Junfu

AWS
junfucAWS
answered 2 years ago
  • AWS-User-2130413
    2 years ago

    Hey, Thank you again. Sadly, for some reason I cannot reach the AWS IoT section of the AWS management console. I get a black half circle on the screen and nothing is accessible thus I cannot test and confirm what you said. It is very weird that I have this and it is only for IoT, all other AWS services are accessible. Do you have any idea why is that?

  • junfucAWS
    2 years ago

    Do you see any javascript errors in your browser console? if so could you paste the errors here and also a screenshot of the page? if not then it might be a server-side rendering issue but highly unlikely.

  • AWS-User-2130413
    2 years ago

    Hey, Just managed to fix that issue and now tried what you advised me to but I got an authorization failure error without literally changing anything. Very strange. Do you have any idea why that would be? { "timestamp": "2021-12-21 20:59:22.486", "logLevel": "ERROR", "traceId": "0cdb55f5-2d44-7057-e224-a28735791", "accountId": "accound_id", "status": "Failure", "eventType": "Connect", "protocol": "MQTT", "clientId": "b99f2af6-4195-4145-86c4-", "principalId": "d4ef80aa40cbed0388db1b682198e9879fd009b8f89cf2037a9853fe", "sourceIp": "80.57.107.22", "sourcePort": 52891, "reason": "AUTHORIZATION_FAILURE", "details": "Authorization Failure" }

  • AWS-User-2130413
    2 years ago

    I just ran the command for installing greengrass just like I did before but instead of the Device Shadow error I got this one now.

1

Hello,

By default, fleet provisioning does not require creating the shadow manually; classic shadows are created automatically. Could you share with me your configuration of IoT policy and shadow manager to help me reproduce your issue?

You mentioned that you found this error in Cloudwatch log. Could you also share which service is logging this error and some context around this log?

Thanks,

Junfu

AWS
junfucAWS
answered 2 years ago
  • AWS-User-2130413
    2 years ago

    Hey, Thanks for reaching out. I updated the question with the logs and the IoT Policy.

    I have no shadow manager in use. I just install the greengrass core software on the edge device and then supposedely I need to get the greengrass core device in the console management but I do not. Instead, the core device is created as a thing and I need to go there and manually create a named device shadow with the name of the thing, then run the greengrass core software installation again and that would create greengrass core thing and show it in the AWS console management. I hope that gives you more details.

0

You can set up an IoT topic rule that listens to thing events and execute a Lambda function when a thing is created.

Here's an example CloudFormation template with the IoT rule and Lambda function.

AWSTemplateFormatVersion: '2010-09-09'
Transform: 'AWS::Serverless-2016-10-31'
Resources:
  ThingEventRule:
    Type: AWS::IoT::TopicRule
    Properties:
      RuleName: !Sub "ThingEvent"
      TopicRulePayload:
        RuleDisabled: false
        Sql: SELECT * FROM '$aws/events/thing/#'
        Actions:
          - Lambda:
              FunctionArn: !GetAtt ProvisioningFunction.Arn
  ProvisioningFunctionRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Sub "${AWS::StackName}-provisioning"
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Action: sts:AssumeRole
            Principal:
              Service:
                - lambda.amazonaws.com
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
  ProvisioningFunction:
    Type: AWS::Serverless::Function
    Properties:
      FunctionName: !Sub "${AWS::StackName}-provisioning"
      Role: !GetAtt ProvisioningFunctionRole.Arn
      Timeout: 5
      Handler: index.handler
      Runtime: python3.9
      MemorySize: 512
      CodeUri: ./thing-event-function
  ProvisioningFunctionPermission:
    Type: AWS::Lambda::Permission
    Properties:
      FunctionName: !GetAtt ProvisioningFunction.Arn
      Action: lambda:InvokeFunction
      Principal: iot.amazonaws.com
      SourceAccount: !Ref AWS::AccountId
      SourceArn: !GetAtt ThingEventRule.Arn

Here's the code for the Lambda function.

import boto3
import json
import logging


iotdata = boto3.client('iot-data')


def handler(event, context):
    if 'operation' not in event or event['operation'] != 'CREATED':
        logging.warn('Ignoring non CREATED event')
        return

    # Add your properties here
    properties = {}

    # And finally update the thing's shadow
    iotdata.update_thing_shadow(
        thingName=event['thingName'],
        payload=json.dumps({'state': {'desired': properties}})
    )
    logging.info("Wrote shadow to thing")

Make sure to enable thing events in your AWS account as documented here https://docs.aws.amazon.com/iot/latest/developerguide/iot-events.html#iot-events-enable

supergillis
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content