By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Permissions needed to get shadow from IOT Core from a greengrass code device

0

I am trying to get a shadow named cycle_topic from AWS IOT thing definition. The permissions/configurations are what are tripping me up. It seems to me that I have a correct permission in ShadowManager for SliceOfPi thing to get count_topic. I am believing that this is a permission issue. What is wrong with my config?

I have the following configs for the following components:

Configure aws.greengrass.clientdevices.mqtt.Bridge:

{
  "reset": [],
  "merge": {
    "mqttTopicMapping": {
      "HelloWorldIotCoreMapping": {
        "topic": "#",
        "source": "Pubsub",
        "target": "IotCore"
      }
    },
    "ShadowsPubsubToLocalMqtt": {
      "topic": "$aws/things/+/shadow/#",
      "source": "Pubsub",
      "target": "LocalMqtt"
    }
  }
}

Configure aws.greengrass.clientdevices.Auth:

{
  "reset": [],
  "merge": {
    "deviceGroups": {
      "formatVersion": "2021-03-05",
      "definitions": {
        "MyPermissiveDeviceGroup": {
          "selectionRule": "thingName: *",
          "policyName": "MyPermissivePolicy"
        }
      },
      "policies": {
        "MyPermissivePolicy": {
          "AllowAll": {
            "statementDescription": "Allow client devices to perform all actions.",
            "operations": [
              "*"
            ],
            "resources": [
              "*"
            ]
          }
        }
      }
    }
  }
}

aws.greengrass.ShadowManager:

{
  "reset": [],
  "merge": {
    "strategy": {
      "type": "realTime"
    },
    "synchronize": {
      "coreThing": {
        "classic": true,
        "namedShadows": [
          "count_topic"
        ]
      },
      "shadowDocuments": [
        {
          "thingName": "SliceOfPi",
          "classic": true,
          "namedShadows": [
            "count_topic"
          ]
        }
      ],
      "direction": "cloudToDevice"
    }
  }
}

The error I am getting in greengrass.log is:

2022-09-20T21:51:46.237Z [WARN] (Thread-4) com.aws.greengrass.shadowmanager.ipc.GetThingShadowRequestHandler: handle-get-thing-shadow. Not authorized to get shadow. {thing name=SliceOfPi, shadow name=count_topic} com.aws.greengrass.authorization.exceptions.AuthorizationException: Principal com.xxxxxxxxxx.productivity.cycle_count is not authorized to perform aws.greengrass.ShadowManager:aws.greengrass#GetThingShadow on resource $aws/things/SliceOfPi/shadow/name/count_topic at com.aws.greengrass.authorization.AuthorizationHandler.isAuthorized(AuthorizationHandler.java:247) at com.aws.greengrass.authorization.AuthorizationHandler.isAuthorized(AuthorizationHandler.java:255) at com.aws.greengrass.shadowmanager.AuthorizationHandlerWrapper.doAuthorization(AuthorizationHandlerWrapper.java:73) at com.aws.greengrass.shadowmanager.AuthorizationHandlerWrapper.doAuthorization(AuthorizationHandlerWrapper.java:56) at com.aws.greengrass.shadowmanager.ipc.GetThingShadowRequestHandler.lambda$handleRequest$0(GetThingShadowRequestHandler.java:87) at com.aws.greengrass.ipc.common.ExceptionUtil.translateExceptions(ExceptionUtil.java:33) at com.aws.greengrass.shadowmanager.ipc.GetThingShadowRequestHandler.handleRequest(GetThingShadowRequestHandler.java:75) at com.aws.greengrass.shadowmanager.ipc.GetThingShadowIPCHandler.handleRequest(GetThingShadowIPCHandler.java:82) at com.aws.greengrass.shadowmanager.ipc.GetThingShadowIPCHandler.handleRequest(GetThingShadowIPCHandler.java:28) at software.amazon.awssdk.eventstreamrpc.OperationContinuationHandler.onContinuationMessage(OperationContinuationHandler.java:291) at software.amazon.awssdk.crt.eventstream.ServerConnectionContinuationHandler.onContinuationMessageShim(ServerConnectionContinuationHandler.java:53)

Topics
Internet of Things (IoT)
Tags
AWS IoT Greengrass
Language
English
flycast
asked 2 years ago797 views
4 Answers
2
Accepted Answer

How are you trying to access the shadow? I'm noticing that you are using the MQTT bridge component to bridge from PubSub to IoT Core. Generally you shouldn't need to do that, as components are able to publish directly to IoT Core. The Client Device Auth and MQTT Bridge components are only necessary if you are trying to connect external client devices to Greengrass.

Based on that stack trace, I suspect you are actually trying to access shadow from a component, using the GetThingShadow IPC API. You can see the authorization failure log below:

com.aws.greengrass.shadowmanager.ipc.GetThingShadowRequestHandler: handle-get-thing-shadow. Not authorized to get shadow. {thing name=SliceOfPi, shadow name=count_topic} com.aws.greengrass.authorization.exceptions.AuthorizationException: Principal com.xxxxxxxxxx.productivity.cycle_count is not authorized to perform aws.greengrass.ShadowManager:aws.greengrass#GetThingShadow on resource $aws/things/SliceOfPi/shadow/name/count_topic
...

You can fix this by updating the accessControl section for the cycle_count component. https://docs.aws.amazon.com/greengrass/v2/developerguide/ipc-local-shadows.html#ipc-local-shadow-authorization

AWS
JoeAtAWS
answered 2 years ago
profile picture
EXPERT
Giovanni Lauria
reviewed 21 days ago
  • flycast
    2 years ago

    I'm noticing that you are using the MQTT bridge component to bridge from PubSub to IoT Core. Generally you shouldn't need to do that, as components are able to publish directly to IoT Core. The Client Device Auth and MQTT Bridge components are only necessary if you are trying to connect external client devices to Greengrass."

    OH MY GOSH!!! So helpful!!! WOW! I thought the bridge and auth was necessary for that based on some AWS tutorials. Thanks a BUNCH for clearing that up.

  • flycast
    2 years ago

    This was super helpful. Part of the key was that I don't need auth, bridge. That simplified things quite a bit and cleared my confusion up. The link referenced was also pointed to by @Joseph Cosentino. The gamechanger was simplifying.

1

There are two sets of permissions needed. They ones you noted (thanks for the detail!) are from a component perspective, but not for how the Nucleus and ShadowManager component interact with AWS IoT.

Most likely the permissions are missing from the Role Alias, or the IoT policy associated with the core device. Please check and see for the Role Alias the permissions called out here, specifically for AllowGreengrassAccessToShadows are included. If they are, check the IoT policy.

Please let me know if this addresses your problem of if you have other details.

AWS
Gavin_A
answered 2 years ago
  • flycast
    2 years ago

    Thanks @Gavin_A. I posted an "Answer" because the text was too long for a comment.

0

Too long to make this a comment. My service role currently looks like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowGreengrassAccessToShadows",
            "Action": [
                "iot:DeleteThingShadow",
                "iot:GetThingShadow",
                "iot:UpdateThingShadow"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:iot:*:*:thing/GG_*",
                "arn:aws:iot:*:*:thing/*-gcm",
                "arn:aws:iot:*:*:thing/*-gda",
                "arn:aws:iot:*:*:thing/*-gci"
            ]
        },
        {
            "Sid": "AllowGreengrassToDescribeThings",
            "Action": [
                "iot:DescribeThing"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:iot:*:*:thing/*"
        },
        {
            "Sid": "AllowGreengrassToDescribeCertificates",
            "Action": [
                "iot:DescribeCertificate"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:iot:*:*:cert/*"
        },
        {
            "Sid": "AllowGreengrassToCallGreengrassServices",
            "Action": [
                "greengrass:*"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Sid": "AllowGreengrassToGetLambdaFunctions",
            "Action": [
                "lambda:GetFunction",
                "lambda:GetFunctionConfiguration"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Sid": "AllowGreengrassToGetGreengrassSecrets",
            "Action": [
                "secretsmanager:GetSecretValue"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:secretsmanager:*:*:secret:greengrass-*"
        },
        {
            "Sid": "AllowGreengrassAccessToS3Objects",
            "Action": [
                "s3:GetObject"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::*Greengrass*",
                "arn:aws:s3:::*GreenGrass*",
                "arn:aws:s3:::*greengrass*",
                "arn:aws:s3:::*Sagemaker*",
                "arn:aws:s3:::*SageMaker*",
                "arn:aws:s3:::*sagemaker*"
            ]
        },
        {
            "Sid": "AllowGreengrassAccessToS3BucketLocation",
            "Action": [
                "s3:GetBucketLocation"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Sid": "AllowGreengrassAccessToSageMakerTrainingJobs",
            "Action": [
                "sagemaker:DescribeTrainingJob"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:sagemaker:*:*:training-job/*"
            ]
        }
    ]
}

Right at the top it looks like I am allowed shadow access.

flycast
answered 2 years ago
  • Gavin_A
    2 years ago

    The resources for the shadows actions looks to be different than one of the shadows you're trying to get. This is from your logs: $aws/things/SliceOfPi/shadow/name/count_topic,

    but the resource filters are:

                    "arn:aws:iot:*:*:thing/GG_*",
                "arn:aws:iot:*:*:thing/*-gcm",
                "arn:aws:iot:*:*:thing/*-gda",
                "arn:aws:iot:*:*:thing/*-gci"

    which don't match. To test, try adding the resource arn:aws:iot:*:*:thing/SliceOfPi and see what the log file shows.

0

It appears that IPC permissions are missing for aws.greengrass#GetThingShadow.

Please take a look at the following guide for allowing access: https://docs.aws.amazon.com/greengrass/v2/developerguide/ipc-local-shadows.html

AWS
Joseph Cosentino
answered 2 years ago
  • flycast
    2 years ago

    Thank you for that. Where do these permissions go? ShadowManager? Auth? Bridge?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content