By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Publish to iot core from an imported lambda using greengrassv2

0

Hi,

I am having trouble sending message to IoT Core using an imported Lambda. Here are the steps that I follow:

  • I setup Greengrass Core SDK on my Raspberry Pi and I am able to see the group and core device on Greengrass console.
  • I created a Lambda that uses awsiot sdk and publishes a message using new_publish_to_iot_core().
  • I created a component on AWS Greengrass console. In this component I chose "Import Lambda Function" option and selected my previously created Lambda. On "Lambda function configuration" section I entered "hello/world" topic for "AWS IoT Core MQTT" as an event source. On "Lambda function configuration" section I chose "No Container" option.
  • I created a deployment to deploy component to my Pi.

After deployment succeed to core device I get this error on greengrass.log:
"com.aws.greengrass.builtin.services.mqttproxy.MqttProxyIPCAgent: Not Authorized. {error=Principal Greengrass_helloworld_version2 is not authorized to perform aws.greengrass.ipc.mqttproxy:aws.greengrass#PublishToIoTCore on resource hello/world}"

and this error log on "Greengrass_helloworld_version2.log":
"Greengrass_helloworld_version2: lambda_function.py:40,Failed to publish message : UnauthorizedError(message='Not Authorized'). {serviceInstance=0, serviceName=Greengrass_helloworld_version2, currentState=RUNNING}"

I attached my Lambda Code and recipe that is created automatically.

I guess I should insert following configuration to recipe but since it is an imported Lambda component it does not allow me to change it.
{
"ComponentConfiguration": {
"DefaultConfiguration": {
"accessControl": {
"aws.greengrass.ipc.mqttproxy": {
"Greengrass_helloworld_version2:pubsub:1": {
"policyDescription": "Allows access to publish to hello/world.",
"operations": [
"aws.greengrass#PublishToIoTCore"
],
"resources": [
"hello/world"
]
}
}
}
}
}
}

I am quite frustrated with this new version of Greengrass since the documentation is quite lack of information at the moment.
What do i need to change? Please help!

Topics
Internet of Things (IoT)
Tags
AWS IoT Core
Language
English
savcuoglu
asked 3 years ago773 views
6 Answers
0

Hi savcuoglu, thanks for using Greengrass.

Like you have guessed, in order to use the IPC SDK in the lambda you do need the IPC authorization policy. Since your component is an imported Lambda function its recipe is autogenerated, so you cannot change the recipe. But the authorization policy is just component configuration and it does not necessarily need to be defined as part of the DefaultConfiguration section of the recipe, that section is only for setting default values of components, you can set component configuration values at the time of deployment even when the default configuration is not defined in recipe. So in your case, instead of trying to change the recipe, you can set your Lambda component's configuration when you make a deployment. You can merge config like below when you configure your component for the deployment -

{
"MERGE": {
"accessControl": {
"aws.greengrass.ipc.mqttproxy": {
"Greengrass_helloworld_version2:pubsub:1": {
"policyDescription": "Allows access to publish to hello/world.",
"operations": [
"aws.greengrass#PublishToIoTCore"
],
"resources": [
"hello/world"
]
}
}
}
}
}

Here's the documentation for how to set component configuration while making deployments - https://docs.aws.amazon.com/greengrass/v2/developerguide/update-component-configurations.html#merge-configuration-update

Sorry to hear about your experience with lack of information, I understand this method of component configuration setting for IPC authorization policy is not clearly mentioned in the documentation here https://docs.aws.amazon.com/greengrass/v2/developerguide/interprocess-communication.html#ipc-authorization-policies. I will take this feedback to the team so we can improve this documentation accordingly.

AWS
shagupta-aws
answered 3 years ago
profile pictureAWS
EXPERT
Greg_B
reviewed 6 months ago
0

Dear shagupta-aws,

Thanks for your answer. I did exactly as you said and I am able to run my Lambda on Core Device.
One thing is still bothering me tough. Since I need to configure "accessControl" during deployment I guess I don't have to fill "Event sources" section of Component Creation form. Then the question is what is this "Event sources" section for? How does it effect my component?

Bests,

savcuoglu
answered 3 years ago
0

Hi savcuoglu,

The event source configuration is optional, and is used if you want to control the lambda function component's execution from outside or from some other lambda function component/ generic component. The two options for event source i.e. IOT_CORE and PUB_SUB, let you trigger your lambda function component by publishing a message to an MQTT topic in IoT Core (Cloud) or by publishing PubSub messages locally(on device from some other component), see details about it here - https://docs.aws.amazon.com/greengrass/v2/developerguide/run-lambda-functions.html#run-lambda-function-cli

If you are not looking to trigger your lambda function component like this, then you don't need the event source configuration

Edited by: shagupts-aws on Jan 6, 2021 3:21 PM

shagupts-aws
answered 3 years ago
0

Dear shagupts-aws,

Thanks for the answer.

Bests,

savcuoglu
answered 3 years ago
0

Thanks @shagupta-aws for the instructions how to merge the necessary accessControl document at deployment. This forum discussion was the only place I could find describing how to do it.

I think AWS Greengrass V2 documentation should include a much clearer description of how you are intended to configure legacy Greengrass V1 Lambda functions for use with Greengrass V2. Now it's complete guesswork and piecing together information from different places. The "Run Lambda functions" section in the documentation only has vague console/CLI examples (no AWS SDK example) which don't mention MQTT/IPC permissions at all.

Greengrass V2 Lambda documentation should clearly explain (1) you cannot configure the Lambda permissions in the recipe, (2) you need to merge the permissions when creating a deployment (with an example), (3) there are separate permissions for MQTT proxy and IPC.

Clouden
answered 3 years ago
0

Hi Clouden,
In V2, lambdas and native V2 components work in the same way, so the documentation for IPC (https://docs.aws.amazon.com/greengrass/v2/developerguide/interprocess-communication.html) applies in the exact same way to both lambdas and components.

I'll talk with our docs team to see about improvements.

AWS
EXPERT
MichaelDombrowski-AWS
answered 3 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content