Confused about permissions in IOT Core/PubSub/Shadows, Greengrass, IAM roles, service roles and IPC.


I have a few questions here as I am very confused. There seems to be quite a few areas where permissions need to be set up. I have a deployment that uses Auth, Bridge, ShadowManager and a custom component. The custom components can publish but I am having issues reading a shadow. There are also entities like IAM roles and policies in addition to something called a service role and something referred to as IPC or Inter Process Communication.

I have an issue here that I am trying to resolve but find myself confused about what I am setting where when I am setting permissions.

Is there someone who has the time and kindness to write a easy to understand, plain language tutorial or summary of what all these permission configurations are? Hopefully it would be clearer.

1 Answer
Accepted Answer

There are several different policies and it can be tough to understand what goes where, but understanding the various resource types and their scope can help.

Greengrass components access resources through IPC. IPC resources are local to the Greengrass device. The "principal" accessing those resources is the component itself. You can give components the necessary permissions in the component configuration.

Some IPC resources map to resources which exist in AWS IoT (e.g. Shadows, MQTT topics). The Greengrass core device is the "principal" which accesses those resources. For those, you need to give Greengrass permission in the IoT Policy which is attached to the Greengrass core certificate. You would configure the IoT Policy for anything your component accesses using the IoT Device SDK.

Other times IPC resources map to resources in other parts of AWS (e.g. secrets stored in Secrets Manager). To access those, you would typically need IAM credentials. Greengrass can get IAM credentials using the role alias. You would also configure this policy for anything your component accesses using the regular AWS SDK.

And finally, you can also connect external client devices to Greengrass. You can configure the Client Devices Auth component in order to define the permissions that client devices have when connecting to the local MQTT broker.

You don't need to worry about the service role, for the most part. That gets used by the Greengrass cloud service in a few scenarios when using client devices. You can set it up once (if using client devices) and then forget it exists.

answered 2 months ago
  • Thanks @JoeAtAWS. That is very clear.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions