add access control while developing on the device

0

still trying to access the local shadow

i've moved away from the lambda and am now just running a python component.

still doing some local development of the component until it works.
deploying it using
sudo /greengrass/v2/bin/greengrass-cli deployment create --recipeDir /data/prov/GreengrassCore/recipes --artifactDir /data/prov/GreengrassCore/artifacts --merge "au.com.mycompany.smartdvr.shadowconfig=1.0.0"

when trying to access the local shadow (using ipc_client = awsiot.greengrasscoreipc ) i'm getting a
GetThingShadowRequestHandler: handle-get-thing-shadow. Not authorized to get shadow
error.
if i do this via the remote greengrass console i have the option to add an access control to the deployment.

"accessControl": {
"aws.greengrass.ShadowManager": {
"mtdshadowconfig-dev-shadowconfigpython::1": {
"policyDescription": "allow access to config# shadow",
"operations": [
"aws.greengrass#GetThingShadow",
"aws.greengrass#UpdateThingShadow",
"aws.greengrass#ListNamedShadowsForThing"
],
"resources": [
"$aws/things/thingName/shadow/name/config1"
]
}
}
}

how do i add the AccessControl when i'm developing and deploying on the device itself ?

clarification Edited by: clogwog on Oct 8, 2021 6:19 PM

clogwog
asked 2 years ago279 views
3 Answers
1
Accepted Answer

Configuration merge (not --merge) accepts a proper JSON document, so simply write out the JSON which you want to be merged such as:

{
   "<componentName>":{
      "MERGE":{
         "accessControl":{
            "aws.greengrass.ShadowManager":{
               "mtdshadowconfig-dev-shadowconfigpython::1":{
                  "policyDescription":"allow access to config# shadow",
                  "operations":[
                     "aws.greengrass#GetThingShadow",
                     "aws.greengrass#UpdateThingShadow",
                     "aws.greengrass#ListNamedShadowsForThing"
                  ],
                  "resources":[
                     "$aws/things/thingName/shadow/name/config1"
                  ]
               }
            }
         }
      },
      "RESET":[
      ]
   }
}

Save as "config.json"

then use the deployment create command with --update-config config.json --merge componentName=1.0.0

The option --merge is used to tell Greengrass to add the following component and version onto the device. To set the configuration you use the --update-config option, not --merge.

AWS
EXPERT
answered 2 years ago
0

Hello,
Try greengrass-cli deployment create --help. Our local CLI has builtin help for you.

To answer the question you would use the --update-config option and provide a path to a JSON file which contains new configuration to apply. Use the format: {"componentName": {"MERGE": {"<key>": "<value>"}, "RESET": ["</path/to/reset>"]}}
In your case, you can merge the accessControl values which you need.

Cheers,
Michael

AWS
EXPERT
answered 2 years ago
0

would I need to use a

AccessControl="{ <full json access control document here }"

Or do i need to add every value in the

{
"aws.greengrass.ShadowManager": {
"mtdshadowconfig-dev-shadowconfigpython::1": {
"policyDescription": "allow access to config# shadow",
"operations": [
"aws.greengrass#GetThingShadow",
"aws.greengrass#UpdateThingShadow",
"aws.greengrass#ListNamedShadowsForThing"
],
"resources": [
"$aws/things/thingName/shadow/name/config1"
]
}
}
}

document ? How does that work with the tree structure that is in that document ?
Are there any examples ?
The documentation

 *-m, --merge=Component and version*
                  *The name and version of the target component you want to add*
                    *or update.*
                  *Format: <component-name>=<version>. Example: HelloWorld=1.*
                    *0.0. Use a separate argument for each additional component*
                    *to specify.*

is not very specific about how to merge json document like this

clogwog
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions