- Newest
- Most votes
- Most comments
Hello clogwog,
regarding the policy you posted, the resource does not match the minimal policy we require. Check https://docs.aws.amazon.com/greengrass/v2/developerguide/device-auth.html#greengrass-core-minimal-iot-policy The policy includes the ** wildcard after the core device thing name (For example, core-device-thing-name**).
{
"Effect": "Allow",
"Action": \[
"iot:GetThingShadow",
"iot:UpdateThingShadow",
"iot:DeleteThingShadow"
],
"Resource": \[
"arn:aws:iot:region:account-id:thing/core-device-thing-name*"
]
},
Please also find more about the shadow manager configuration requirements at: https://docs.aws.amazon.com/greengrass/v2/developerguide/sync-shadows-with-iot-core.html
-zhaoylin
note: the aws discussion forum editor is stripping details out of my configuration
see here for the full config:
https://gist.github.com/clogwog/210abc5aae94218b166ff6832a1b21dc
Hello,
I am assuming that the shadow has been created in the cloud and you are expecting that to be synced back to the device. Is smartdvr-1423019132001 the name of your GG v2 core? If so, can you attach all the logs from the logs folder to this ticket? There should be an indication in the greengrass.log file on why it was unable to sync that shadow to the device.
Cheers,
Nikkhil
Thank you for that suggestion.
i found:
com.aws.greengrass.shadowmanager.exception.SkipSyncRequestException: software.amazon.awssdk.services.iotdataplane.model.IotDataPlaneException: null (Service: IotDataPlane, Status Code: 403,
in greengrass.log
so it was the core policy. I had used :
{
"Effect": "Allow",
"Action": [
"iot:GetThingShadow",
"iot:UpdateThingShadow"
],
"Resource": [
"arn:aws:iot:ap-southeast-2:....:thing/${iot:ClientId}"
]
},
I had found it somewhere in an example so i can re-use the policy for all my greengrass devices with a device specific wildcard, but it (now) obviously didn't work because as soon as i set it to * the sync started working.
Hello,
as soon as i add the "iot:DeleteThingShadow"
permission the shadow manager deletes my server shadow. which is why i left it out.
there is a ticket for it at
https://github.com/aws-greengrass/aws-greengrass-shadow-manager/pull/96
i would just like to know if I need to wait for this ticket to me merged and available before or if there is a way around it ?
thanks,
tom
Is the Shadow Manager public component currently being used in a production environment by anyone ?
Hi clogwog,
Thanks for your followup. We'll be tracking this issue on GitHub and keep that updated: https://github.com/aws-greengrass/aws-greengrass-shadow-manager/issues/98
-zhaoylin
Relevant content
- asked 2 years ago
- asked 2 years ago
- asked 3 years ago
- asked 3 years ago
- AWS OFFICIALUpdated 6 months ago
- AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated a year ago
The policy you describe
is on the server, and would be applied to all devices. Is there a way to put in a wildcard that specifies the thing name itself ?
we tried
but that doesn't seem to work.