Fleet provisioning and lambda triggering topics

Hi François,

No question is a silly question :) Greengrass v2 is still relatively new and we expect there to be some bumps along the way as customers use it. Your questions help us identify those bumps in the software and documentation that we can hopefully smooth over.

There are two things to consider with regard to the MQTT pub/sub topics. First, from the device to IoT core, authorization for pub/sub topics are controlled by your IoT policy. Here you can specify an IoT policy that only allows the device to publish to topics with the {iot:thingName} in it.

Second, on the device you can further define which topics a particular component is allowed to publish on. Just because you authorize a component to publish/subscribe on some topic, it does not mean that your IoT policy associated with device certificate allows the device to publish/subscribe on that topic.

At this time, the component authorization policy does not support variables like {iot:thingName}. If you do not know the exact topics that the recipe needs to use, you would need to specify "*" to allow the component to pub or sub on any topic. However you can restrict your IoT policy so that it can only pub/sub on your restricted topics with the thingName in it.

Please see https://docs.aws.amazon.com/greengrass/v2/developerguide/ipc-iot-core-mqtt.html for more info.

-rob

Hi Rob,

Thank you for the reply.

I do understand that what an IoT thing can do wrt to AWS access, is ultimately controlled by policies attached to the certificate associated with the thing.
(Although I am not clear how versioning is applied). For fleet provisioned devices, that policy is referenced in the fleet provisioning template and is automatically
attached to the certificate generated upon provisioning.

I also see now how resources for iot:Connect/Publish/Subscribe can restrict the use of topics containing ${iot:Connection.Thing.ThingName}.

but (you knew it was coming ;)

My question is about topics used to trigger lambdas on a Greengrass IoT Core device. Those topics are defined in the " default configuration"/update part of the recipe. According to the doc, a variable {iot:thingName} can be used but only in the lifecycle part of the recipe. So no way to insert the thing name in the triggering topic.

Ideally, the Greengrass IoT Core would process triggering topic for variables and instantiate them before actually deploying the component. And then subscribe to those (as long as the policy associated with the certificate allows it ). (I guess it already does that for the lifecycle part)

For example, if you want to perform a "reconfigure network" on a fleet provisioned device, you could deploy a lambda that reacts to a topic with a payload containing your SSID and passphrase. Ideally, your trigger would be something like

 com.example/MyThingName/network/configure  

I do not see how to do that currently, instead I have to use a very generic topic like

com.example/network/configure  

And add the think name in the payload to avoid re-configuring all the devices. In the process I have to broadcast my SSID and passphrase

Or, did I miss something?

Regards,
François

Hi François,
You have not missed anything. It is not possible to put the thing name into the pubsub topics that your lambda subscribes to unless you create a deployment with unique configuration for each device.

If you moved away from lambda to a native GG V2 Component, then your component can subscribe to a topic with its thing name (which is provided in environment variables) since the subscription is driven by code instead of by configuration. The accessControl policy would need to include a wildcard for the thing name, but that is supported for the MQTT over IPC access controls.

Cheers,
Michael