- Newest
- Most votes
- Most comments
Aha. Thanks Michael. After fixing that, .. it still gives me the same error in my component log :-/ But now at least, the main greengrass.log shows me a related error.
2023-05-23T15:28:07.053Z [WARN] (Thread-7) com.aws.greengrass.shadowmanager.ipc.GetThingShadowRequestHandler: handle-get-thing-
shadow. Not authorized to get shadow. {thing name=demo-device, shadow name=null}
com.aws.greengrass.authorization.exceptions.AuthorizationException: Principal com.bolthole.copyshadow is not authorized to perf
orm aws.greengrass.ShadowManager:aws.greengrass#GetThingShadow on resource $aws/things/demo-device/shadow
Which is odd, because I thought I have allowed all required perms, as shown below. Any further enlightenment you can give?
In recipe, copied more or less from AWS examples:
ComponentConfiguration:
DefaultConfiguration:
accessControl:
aws.greengrass.ShadowManager:
'com.bolthole.copyshadow:shadow:1':
policyDescription: 'Allows access to shadows'
operations:
- 'aws.greengrass#GetThingShadow'
- 'aws.greengrass#UpdateThingShadow'
- 'aws.greengrass#DeleteThingShadow'
resources:
- $aws/things/{iot:thingName}/shadow
'com.bolthole.copyshadow:shadow:2':
policyDescription: 'Allows access to things with shadows'
operations:
- 'aws.greengrass#ListNamedShadowsForThing'
resources:
- {iot:thingName}
And in my thing policy, I have:
{
"Effect": "Allow",
"Action": "iot:GetThingShadow",
"Resource": "*"
}
(edit: walk through comments for final solution)
Did you enable interpolate configuration? https://docs.aws.amazon.com/greengrass/v2/developerguide/greengrass-nucleus-component.html#greengrass-nucleus-component-configuration-interpolate-component-configuration
When you deploy, use RESET: https://github.com/aws-greengrass/aws-greengrass-nucleus/issues/1470#issuecomment-1559595709
Looks like it is getting properly interpolated. Looking at effectiveConfig.yaml shows
aws.greengrass.ShadowManager: com.bolthole.copyshadow:shadow:1: operations: - "aws.greengrass#GetThingShadow" - "aws.greengrass#UpdateThingShadow" - "aws.greengrass#DeleteThingShadow" policyDescription: "Allows access to shadows" resources: - "$aws/things/demo-device/shadow" - "$aws/things/demo-device/shadow/name/myNamedShadow"
what about the second policy you had? I think you need to wrap the
{iot:thingName}
in quotes or else yaml will treat it as a map.HUH! there were a buncha other lines, that were NOT quoted, and used {iot:thingName}, and worked. but that one line, I guess since its not in the middle of some other string... it has to be quoted. "Interesting" feature. Thanks for that.
Even more "interesting", is that.. given that I cut-n-pasted from AWS docs... THE AWS DOCS ARE WRONG!!!
https://docs.aws.amazon.com/greengrass/v2/developerguide/ipc-local-shadows.html
Almost working. At least I can now call the get shadow function. But now yet another underdocumented category of error. I'm trying to get the default non-named shadow. I created one in the GUI, and it got autonamed "Classic Shadow'.
But the code I have in my first post here isnt working.
2023-05-24T02:18:26.808Z [WARN] (Thread-7) com.aws.greengrass.shadowmanager.ipc.GetThingShadowRequestHandler: handle-get-thing-shadow. Shadow does not exist. {thing name=demo-device, shadow name=null}
I thought leaving shadow name null would be the way to get default shadow, but that doesnt seem to work. Nor does shadow_name="". Same error, "Shadow does not exist"
But I cant set the name to "Classic Shadow" either. So what am I supposed to do?
Relevant content
- asked 3 years ago
- asked 4 years ago
- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated a year ago
What is your component recipe?
Does your component depend on the shadow manager component? It must for this to work.