- Newest
- Most votes
- Most comments
Hi. The short answer is that you don't need to re-register.
I think though you might be confusing the IoT policy with the (IAM) token exchange role. The IoT policy authorizes device access to the IoT and Greengrass data planes: https://docs.aws.amazon.com/greengrass/v2/developerguide/device-auth.html. The IoT policy is attached to the device certificate in AWS IoT Core (authorizing the device that holds that certificate).
The token exchange role authorizes device access to non-IoT services: https://docs.aws.amazon.com/greengrass/v2/developerguide/device-service-role.html. The Greengrass core device only knows about the token exchange role alias (it's specified in the Nucleus configuration). You can modify the IAM policies attached to the token exchange role, and the device will be granted what those modified policies specify.
Hi,
Adding the solution to my problem as an answer here just in case someone else might need the information. I added 'iot:UpdateThingShadow' and 'iot:GetThingShadow' (or any other permission you want) to GreengrassV2IoTThingPolicyInfo and it is automatically applied as @Greg_B said. No need to reregister the devices.
Thanks.
Relevant content
- Accepted Answerasked 2 years ago
- asked 2 years ago
AWS OFFICIALUpdated 3 years ago- AWS OFFICIALUpdated 9 days ago
- AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated 2 years ago
Thanks for the answer. I am trying to follow this tutorial. https://docs.aws.amazon.com/greengrass/v2/developerguide/client-devices-tutorial.html In this one, step 1, it says I need to change " core device's AWS IoT policy". I thought this one is referring to the Exchange Role. So this requires me to update the Exchange Role, right?
For example; I need to add 'iot:UpdateThingShadow' and 'iot:GetThingShadow' to the device policy. According to your answer, I think the right place to add them is GreengrassV2IoTThingPolicy, right?
Sorry, for not answering quickly, but it seems you worked it out. Yes.