By using AWS re:Post, you agree to the Terms of Use
AWS re:Postre:Post

Greengrass allow all local operations for a component

0

I'm getting started with greengrass(v2) and am just trying a REALLY BASIC call:

clientobj = GreengrassCoreIPCClientV2()
details_response = clientobj.get_component_details(component_name="hello")

and I get BLOCKED. "permission denied". to get component details ABOUT MYSELF?!?!?

There is no clue what magical string I should even put in the accessControl section of the recipe of the component, in the API docs at https://aws.github.io/aws-iot-device-sdk-python-v2/awsiot/greengrasscoreipc.html

So rather than having to come back and ask what the magic string is, for EVERY SINGLE NEW API call, I'd like to know what the magic string is, to tell the greengrass Nucleus level controls, "shut up and get out of the way".

I'm perfectly happy with the access controls we have at the cloud level. I dont want Yet Another Layer of security to deal with at the greengrass Nucleus level.

Topics
Internet of Things (IoT)
Tags
AWS IoT Greengrass
Language
English
rePost-User-8057778
asked 9 days ago21 views
3 Answers
0

Well, thanks for the convenient reference to that stuff... I would still prefer, however, some kind of solution that looked like

accessControl:
  aws.greengrass.*:
    operations: *
    resources: *

Or alternatively, some sort of

  accessControl:
     disable: true

?

its nuts that there are conflicting examples, for supposedly the same thing

For example, sometimes, the examples say I should use syntax like com.me.myapp:cli:1

but others say

com.me.myapp:getconfig:1

?!?!? Where's the sense? Just let me turn all the stupid access stuff OFF completely.

rePost-User-8057778
answered 9 days ago
  • Greg_B EXPERT9 days ago

    I understand. You can use wildcards for the resources at least, but I appreciate that's not what you're after. Please consider to raise these issues here: https://github.com/aws-greengrass/aws-greengrass-nucleus/issues. Also, in regards to conflicting examples, I'm not sure which parts of the documentation you're specifically referring to. Please be aware that there is a Feedback button near the top right of every page of the Developer Guide. We'd appreciate you calling out any errors, conflicts or confusions you find.

  • MichaelDombrowski-AWS EXPERT8 days ago

    To allow all, the following should work. However, I really cannot recommend this as it goes against every security best practice known.

    accessControl:
  "*":
    operations: *
    resources: *
0

Thanks MIchael, I can confirm that this works:

accessControl:
  "*":
    operations: *
    resources: *

This will be useful for me in the future If I need it. However, I will also confirm that for just the get_component_details, this works:

    accessControl:
      randomlabelhere:
        com.bolthole.hello:
          operations:
            - "aws.greengrass#GetComponentDetails"
          resources:
            - "*"

What was confusing me was the bit right after accessControl: I didnt understand why it was "aws.greengrass.Cli", and why some examples used it with ":cli:", but others with "getconfig"

Apparently, its just a random user-chosen label, which is why I used the above, and it actually works as is, for my component called com.bolthole.hello.

rePost-User-8057778
answered 7 days ago
  • rePost-User-8057778 7 days ago

    wait... maybe it isnt random.. .now its working all the time, even if I put in NO access control?? And even if I removed the component before doing a new deploy?? This stuff is really confusing.

    To explain to "insiders", the reason why this isnt clear is: How does GreengrassCoreIPCClientV2().component_details()

    relate to "aws.greengrass.Cli" ?!? Its a direct nucleus IPC API call. It should work if the Cli component isnt there. So how does the accessControl spec require using THAT, to grant access to that call??

  • rePost-User-8057778 7 days ago

    Okay, hopefully final summary :-/

    I had changed my code. GreengrassCoreIPCClientV2().get_component_details(component_name="com.bolthole.hello")

    requires

        accessControl:
      aws.greengrass.Cli:
        com.bolthole.hello:
          operations:
            - "aws.greengrass#GetComponentDetails"
          resources:
            - "*"

    even if the component is itself.

    but

    GreengrassCoreIPCClientV2().get_configuration()

    Does not require any access control.

    Still doesnt make sense why the get_component_details access needs to be filed under "aws.greengrass.Cli" though !!!

0

Hi. Authorization details here: https://docs.aws.amazon.com/greengrass/v2/developerguide/ipc-local-deployments-components.html#ipc-local-deployments-components-authorization

profile picture
AWS
EXPERT
Greg_B
answered 9 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content