- Newest
- Most votes
- Most comments
Thanks Greg,
I'm not quite sure I understand the where the policy variable (iot:Connection:Thing.*) can and cant be used. Can you clarify what is a Greengrass data plane operation?
I am using the following IoT Policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iot:DeleteThingShadow",
"Resource": [
"arn:aws:iot:ap-southeast-2:123456778910:thing/${iot:Connection.Thing.ThingName}",
"arn:aws:iot:ap-southeast-2:123456778910:thing/${iot:Connection.Thing.ThingName}/*"
]
},
{
"Effect": "Allow",
"Action": "iot:GetThingShadow",
"Resource": [
"arn:aws:iot:ap-southeast-2:123456778910:thing/${iot:Connection.Thing.ThingName}",
"arn:aws:iot:ap-southeast-2:123456778910:thing/${iot:Connection.Thing.ThingName}/*"
]
},
{
"Effect": "Allow",
"Action": "iot:UpdateThingShadow",
"Resource": [
"arn:aws:iot:ap-southeast-2:123456778910:thing/${iot:Connection.Thing.ThingName}",
"arn:aws:iot:ap-southeast-2:123456778910:thing/${iot:Connection.Thing.ThingName}/*"
]
},
{
"Effect": "Allow",
"Action": "iot:ListNamedShadowsForThing",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "iot:Subscribe",
"Resource": "arn:aws:iot:ap-southeast-2:123456778910:topicfilter/onwatchIot/${iot:Connection.Thing.ThingName}*/clientRequests"
},
{
"Effect": "Allow",
"Action": "iot:Receive",
"Resource": "arn:aws:iot:ap-southeast-2:123456778910:topic/onwatchIot/${iot:Connection.Thing.ThingName}*/clientRequests"
},
{
"Effect": "Allow",
"Action": "iot:Publish",
"Resource": "arn:aws:iot:ap-southeast-2:123456778910:topic/onwatchIot/${iot:Connection.Thing.Attributes[fleetOperator]}/${iot:Connection.Thing.ThingName}/*"
},
{
"Effect": "Allow",
"Action": "iot:AssumeRoleWithCertificate",
"Resource": "arn:aws:iot:ap-southeast-2:123456778910:rolealias/TokenExchangeRoleAlias"
},
{
"Effect": "Allow",
"Action": "iot:Publish",
"Resource": "arn:aws:iot:ap-southeast-2:123456778910:topic/onwatchIot/${iot:Connection.Thing.ThingName}/*"
}
]
}
I use the greengrass IPC client to subscribe to and receive on topic onwatchIot/Dev-plugin/clientRequests
it works successfully, and I am using the policy variable. Not sure what the difference is?
Hi Phil. Unfortunately the thing policy variables are not currently supported for Greengrass core devices: https://docs.aws.amazon.com/greengrass/v2/developerguide/device-auth.html#iot-policies
UPDATE: The GG data plane operations are listed here: https://docs.aws.amazon.com/greengrass/v2/developerguide/device-auth.html#iot-policies. Basically, the Thing name variable doesn't work for those, because GG data plane operations are HTTP requests, and the thing name variable is derived from the MQTT client ID. As stated here: https://docs.aws.amazon.com/iot/latest/developerguide/thing-policy-variables.html.
This policy variable is only available when a device connects over MQTT or MQTT over the WebSocket protocol.
And shadow manager makes HTTP requests to get/update/delete/ shadows.
Also be careful about the effect of multiple connections as outlined here: https://docs.aws.amazon.com/greengrass/v2/developerguide/device-auth.html#greengrass-core-minimal-iot-policy. That is, the client ID won't match the Thing name on all connections.
Relevant content
- asked 3 years ago
- Accepted Answerasked 2 years ago
- Accepted Answerasked 8 months ago
- AWS OFFICIALUpdated 5 months ago
- AWS OFFICIALUpdated 9 months ago
- AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated 3 years ago
Hi Phil. The GG data plane operations are listed here: https://docs.aws.amazon.com/greengrass/v2/developerguide/device-auth.html#iot-policies. Basically, the Thing name variable doesn't work for those, because GG data plane operations are HTTP requests, and the thing name variable is derived from the MQTT client ID. As stated here: https://docs.aws.amazon.com/iot/latest/developerguide/thing-policy-variables.html.
And shadow manager makes HTTP requests to get/update/delete/ shadows.