- Newest
- Most votes
- Most comments
Hi,
SVCUID is a secret token provided to your component by Greengrass. In order to run using IPC, your component must be started by Greengrass, not by you on the command line.
Your code is creating the IPC client and connecting inside of the while true, which is going to make it create more and more clients. You should take this out of the while loop so that you only create a single connection and connect once.
Using the python SDK version 1.5.4 or later you can now simply use
import awsiot.greengrasscoreipc
ipc_client = awsiot.greengrasscoreipc.connect()
Prior to that version, please make sure that you are using the IPCUtils exactly as it is provided from https://docs.aws.amazon.com/greengrass/v2/developerguide/interprocess-communication.html, otherwise you may run into trouble.
If you're still having problems, please provide your full component log file as well as the greengrass log file.
Cheers,
Michael Dombrowski
I'm getting (when using a lambda):
2021-02-16T18:03:22.674Z [INFO] (Thread-7) com.aws.greengrass.builtin.services.mqttproxy.MqttProxyIPCAgent: Not Authorized. {error=Principal MqttTestGGCv2 is not authorized to perform aws.greengrass.ipc.mqttproxy:aws.greengrass#PublishToIoTCore on resource my/topic}
I attached a policy to the cert to allow pub/sub all topics, when creating component I specified the topic for the cloud and local
I get (when using recipe):
component log
2021-02-16T20:58:57.336Z [INFO] (Copier) com.example.HelloWorld: stdout. DEBUG:awsiot.eventstreamrpc:<awsiot.greengrasscoreipc.client.PublishToIoTCoreOperation object at 0x7fc88eb42a90> received #1 APPLICATION_ERROR [Header(':content-type', 'application/json', <HeaderType.STRING: 7>), Header('service-model-type', 'aws.greengrass#UnauthorizedError', <HeaderType.STRING: 7>), Header(':message-type', 1, <HeaderType.INT32: 4>), Header(':message-flags', 2, <HeaderType.INT32: 4>), Header(':stream-id', 1, <HeaderType.INT32: 4>)] b'{"message":"Not Authorized","_service":"aws.greengrass#GreengrassCoreIPC","_message":"Not Authorized","_errorCode":"UnauthorizedError","detailMessage":"UnauthorizedError[aws.greengrass#GreengrassCoreIPC]: Not Authorized","stackTrace":[],"suppressedExceptions":[]}'. {scriptName=services.com.example.HelloWorld.lifecycle.Run, serviceName=com.example.HelloWorld, currentState=RUNNING}
greengrass log
2021-02-16T20:58:57.335Z [INFO] (Thread-4) com.aws.greengrass.builtin.services.mqttproxy.MqttProxyIPCAgent: Not Authorized. {error=Principal com.example.HelloWorld is not authorized to perform aws.greengrass.ipc.mqttproxy:aws.greengrass#PublishToIoTCore on resource my/topic}
Recipe:
"ComponentConfiguration": {
"DefaultConfiguration": {
"accessControl": {
"aws.greengrass.ipc.pubsub": {
"com.example.HelloWorld:pubsub:1": {
"policyDescription": "Allows access to publish to test/topic.",
"operations": "aws.greengrass#PublishToTopic",
"resources": "my/topic"
}
}
}
}
},
I also tried (got same error):
"accessControl": {
"aws.greengrass.ipc.pubsub": {
"com.example.HelloWorld:pubsub:1": {
"policyDescription": "Allows access to publish to test/topic.",
"operations": "aws.greengrass#PublishToIoTCore",
"resources": "my/topic"
}
}
}
Edited by: brayden on Feb 16, 2021 1:19 PM
Since you are trying to use MQTT, follow this guide: https://docs.aws.amazon.com/greengrass/v2/developerguide/ipc-iot-core-mqtt.html.
Your access control policies are not proper for allowing IoT Core messaging. The service identifier needs to be "aws.greengrass.ipc.mqttproxy" and not "aws.greengrass.ipc.pubsub" and the operation must be "aws.greengrass#PublishToIoTCore"
When you make a change, if you are making the change through a deployment using the "MERGE" option, then that will work fine. However, if you are editing the default in the recipe you must use
RESET: [""]
in the deployment configuration for the component. That way it will use the default configuration from your recipe instead of the existing configuration which is present in the Nucleus. Read https://docs.aws.amazon.com/greengrass/v2/developerguide/update-component-configurations.html for more information on this topic.
Cheers,
Michael Dombrowski
Policy
"accessControl": {
"aws.greengrass.ipc.mqttproxy": {
"com.example.HelloWorld:pubsub:1": {
"policyDescription": "Allows access to publish to my/topic.",
"operations": [
"aws.greengrass#PublishToTopic",
"aws.greengrass#PublishToIoTCore",
"aws.greengrass#GreengrassCoreIPC"
],
"resources": [
"my/topic"
]
}
}
}
}
configuration update (I'm not using the cli, using console)
{
"reset": [],
"merge": {
"accessControl": {
"aws.greengrass.ipc.mqttproxy": {
"com.example.HelloWorld:pubsub:1": {
"policyDescription": "Allows access to publish to my/topic.",
"operations": [
"aws.greengrass#PublishToTopic",
"aws.greengrass#PublishToIoTCore",
"aws.greengrass#GreengrassCoreIPC"
],
"resources": [
"my/topic"
]
}
}
}
}
}
Your update seems to be correct. That should now allow your component to publish to the topic.
If not, please provide update logs showing the failure.
Cheers,
Michael Dombrowski
grep "error" logs/greengrass.log
2021-02-18T17:26:35.272Z [ERROR] (main) com.aws.greengrass.authorization.AuthorizationPolicyParser: load-authorization-config-deserialization-error. Unable to deserialize access control map services.com.example.HelloWorld.configuration.accessControl:{aws.greengrass.ipc.pubsub=services.com.example.HelloWorld.configuration.accessControl.aws.greengrass.ipc.pubsub:{com.example.HelloWorld:pubsub:1=services.com.example.HelloWorld.configuration.accessControl.aws.greengrass.ipc.pubsub.com.example.HelloWorld:pubsub:1:{operations=services.com.example.HelloWorld.configuration.accessControl.aws.greengrass.ipc.pubsub.com.example.HelloWorld:pubsub:1.operations:aws.greengrass#PublishToTopic, policyDescription=services.com.example.HelloWorld.configuration.accessControl.aws.greengrass.ipc.pubsub.com.example.HelloWorld:pubsub:1.policyDescription:Allows access to publish to test/topic., resources=services.com.example.HelloWorld.configuration.accessControl.aws.greengrass.ipc.pubsub.com.example.HelloWorld:pubsub:1.resources:my/topic}}, aws.greengrass.ipc.mqttproxy=services.com.example.HelloWorld.configuration.accessControl.aws.greengrass.ipc.mqttproxy:{com.example.HelloWorld:pubsub:1=services.com.example.HelloWorld.configuration.accessControl.aws.greengrass.ipc.mqttproxy.com.example.HelloWorld:pubsub:1:{operations=services.com.example.HelloWorld.configuration.accessControl.aws.greengrass.ipc.mqttproxy.com.example.HelloWorld:pubsub:1.operations:[aws.greengrass#PublishToTopic, aws.greengrass#PublishToIoTCore, aws.greengrass#GreengrassCoreIPC], policyDescription=services.com.example.HelloWorld.configuration.accessControl.aws.greengrass.ipc.mqttproxy.com.example.HelloWorld:pubsub:1.policyDescription:Allows access to publish to my/topic., resources=services.com.example.HelloWorld.configuration.accessControl.aws.greengrass.ipc.mqttproxy.com.example.HelloWorld:pubsub:1.resources:[my/topic]}}} for com.example.HelloWorld. {}
2021-02-18T17:26:37.715Z [INFO] (Thread-4) com.aws.greengrass.builtin.services.mqttproxy.MqttProxyIPCAgent: Not Authorized. {error=Principal com.example.HelloWorld is not authorized to perform aws.greengrass.ipc.mqttproxy:aws.greengrass#PublishToIoTCore on resource my/topic}
2021-02-18T17:26:37.831Z [INFO] (Thread-4) com.aws.greengrass.builtin.services.mqttproxy.MqttProxyIPCAgent: Not Authorized. {error=Principal com.example.HelloWorld is not authorized to perform aws.greengrass.ipc.mqttproxy:aws.greengrass#PublishToIoTCore on resource my/topic}
2021-02-18T17:26:37.938Z [INFO] (Thread-4) com.aws.greengrass.builtin.services.mqttproxy.MqttProxyIPCAgent: Not Authorized. {error=Principal com.example.HelloWorld is not authorized to perform aws.greengrass.ipc.mqttproxy:aws.greengrass#PublishToIoTCore on resource my/topic}
2021-02-18T17:26:54.348Z [INFO] (Thread-4) com.aws.greengrass.builtin.services.mqttproxy.MqttProxyIPCAgent: Not Authorized. {error=Principal com.example.HelloWorld is not authorized to perform aws.greengrass.ipc.mqttproxy:aws.greengrass#PublishToIoTCore on resource my/topic}
2021-02-18T17:26:54.448Z [INFO] (Thread-4) com.aws.greengrass.builtin.services.mqttproxy.MqttProxyIPCAgent: Not Authorized. {error=Principal com.example.HelloWorld is not authorized to perform aws.greengrass.ipc.mqttproxy:aws.greengrass#PublishToIoTCore on resource my/topic}
2021-02-18T17:26:54.558Z [INFO] (Thread-4) com.aws.greengrass.builtin.services.mqttproxy.MqttProxyIPCAgent: Not Authorized. {error=Principal com.example.HelloWorld is not authorized to perform aws.greengrass.ipc.mqttproxy:aws.greengrass#PublishToIoTCore on resource my/topic}
grep "error" logs/com.example.HelloWorld.log
2021-02-18T17:26:37.722Z [INFO] (Copier) com.example.HelloWorld: stdout. DEBUG:awsiot.eventstreamrpc:<awsiot.greengrasscoreipc.client.PublishToIoTCoreOperation object at 0x7fbd1efabb00> received #1 APPLICATION_ERROR [Header(':content-type', 'application/json', <HeaderType.STRING: 7>), Header('service-model-type', 'aws.greengrass#UnauthorizedError', <HeaderType.STRING: 7>), Header(':message-type', 1, <HeaderType.INT32: 4>), Header(':message-flags', 2, <HeaderType.INT32: 4>), Header(':stream-id', 1, <HeaderType.INT32: 4>)] b'{"message":"Not Authorized","_service":"aws.greengrass#GreengrassCoreIPC","_message":"Not Authorized","_errorCode":"UnauthorizedError","detailMessage":"UnauthorizedError[aws.greengrass#GreengrassCoreIPC]: Not Authorized","stackTrace":[],"suppressedExceptions":[]}'. {scriptName=services.com.example.HelloWorld.lifecycle.Run, serviceName=com.example.HelloWorld, currentState=RUNNING}
2021-02-18T17:26:37.832Z [INFO] (Copier) com.example.HelloWorld: stdout. DEBUG:awsiot.eventstreamrpc:<awsiot.greengrasscoreipc.client.PublishToIoTCoreOperation object at 0x7fc12de0eb00> received #1 APPLICATION_ERROR [Header(':content-type', 'application/json', <HeaderType.STRING: 7>), Header('service-model-type', 'aws.greengrass#UnauthorizedError', <HeaderType.STRING: 7>), Header(':message-type', 1, <HeaderType.INT32: 4>), Header(':message-flags', 2, <HeaderType.INT32: 4>), Header(':stream-id', 1, <HeaderType.INT32: 4>)] b'{"message":"Not Authorized","_service":"aws.greengrass#GreengrassCoreIPC","_message":"Not Authorized","_errorCode":"UnauthorizedError","detailMessage":"UnauthorizedError[aws.greengrass#GreengrassCoreIPC]: Not Authorized","stackTrace":[],"suppressedExceptions":[]}'. {scriptName=services.com.example.HelloWorld.lifecycle.Run, serviceName=com.example.HelloWorld, currentState=RUNNING}
2021-02-18T17:26:37.939Z [INFO] (Copier) com.example.HelloWorld: stdout. DEBUG:awsiot.eventstreamrpc:<awsiot.greengrasscoreipc.client.PublishToIoTCoreOperation object at 0x7f5bb45a0b00> received #1 APPLICATION_ERROR [Header(':content-type', 'application/json', <HeaderType.STRING: 7>), Header('service-model-type', 'aws.greengrass#UnauthorizedError', <HeaderType.STRING: 7>), Header(':message-type', 1, <HeaderType.INT32: 4>), Header(':message-flags', 2, <HeaderType.INT32: 4>), Header(':stream-id', 1, <HeaderType.INT32: 4>)] b'{"message":"Not Authorized","_service":"aws.greengrass#GreengrassCoreIPC","_message":"Not Authorized","_errorCode":"UnauthorizedError","detailMessage":"UnauthorizedError[aws.greengrass#GreengrassCoreIPC]: Not Authorized","stackTrace":[],"suppressedExceptions":[]}'. {scriptName=services.com.example.HelloWorld.lifecycle.Run, serviceName=com.example.HelloWorld, currentState=RUNNING}
2021-02-18T17:26:54.349Z [INFO] (Copier) com.example.HelloWorld: stdout. DEBUG:awsiot.eventstreamrpc:<awsiot.greengrasscoreipc.client.PublishToIoTCoreOperation object at 0x7f8fc3279b00> received #1 APPLICATION_ERROR [Header(':content-type', 'application/json', <HeaderType.STRING: 7>), Header('service-model-type', 'aws.greengrass#UnauthorizedError', <HeaderType.STRING: 7>), Header(':message-type', 1, <HeaderType.INT32: 4>), Header(':message-flags', 2, <HeaderType.INT32: 4>), Header(':stream-id', 1, <HeaderType.INT32: 4>)] b'{"message":"Not Authorized","_service":"aws.greengrass#GreengrassCoreIPC","_message":"Not Authorized","_errorCode":"UnauthorizedError","detailMessage":"UnauthorizedError[aws.greengrass#GreengrassCoreIPC]: Not Authorized","stackTrace":[],"suppressedExceptions":[]}'. {scriptName=services.com.example.HelloWorld.lifecycle.Run, serviceName=com.example.HelloWorld, currentState=RUNNING}
2021-02-18T17:26:54.449Z [INFO] (Copier) com.example.HelloWorld: stdout. DEBUG:awsiot.eventstreamrpc:<awsiot.greengrasscoreipc.client.PublishToIoTCoreOperation object at 0x7f7c83996b00> received #1 APPLICATION_ERROR [Header(':content-type', 'application/json', <HeaderType.STRING: 7>), Header('service-model-type', 'aws.greengrass#UnauthorizedError', <HeaderType.STRING: 7>), Header(':message-type', 1, <HeaderType.INT32: 4>), Header(':message-flags', 2, <HeaderType.INT32: 4>), Header(':stream-id', 1, <HeaderType.INT32: 4>)] b'{"message":"Not Authorized","_service":"aws.greengrass#GreengrassCoreIPC","_message":"Not Authorized","_errorCode":"UnauthorizedError","detailMessage":"UnauthorizedError[aws.greengrass#GreengrassCoreIPC]: Not Authorized","stackTrace":[],"suppressedExceptions":[]}'. {scriptName=services.com.example.HelloWorld.lifecycle.Run, serviceName=com.example.HelloWorld, currentState=RUNNING}
2021-02-18T17:26:54.559Z [INFO] (Copier) com.example.HelloWorld: stdout. DEBUG:awsiot.eventstreamrpc:<awsiot.greengrasscoreipc.client.PublishToIoTCoreOperation object at 0x7f0dcb677b00> received #1 APPLICATION_ERROR [Header(':content-type', 'application/json', <HeaderType.STRING: 7>), Header('service-model-type', 'aws.greengrass#UnauthorizedError', <HeaderType.STRING: 7>), Header(':message-type', 1, <HeaderType.INT32: 4>), Header(':message-flags', 2, <HeaderType.INT32: 4>), Header(':stream-id', 1, <HeaderType.INT32: 4>)] b'{"message":"Not Authorized","_service":"aws.greengrass#GreengrassCoreIPC","_message":"Not Authorized","_errorCode":"UnauthorizedError","detailMessage":"UnauthorizedError[aws.greengrass#GreengrassCoreIPC]: Not Authorized","stackTrace":[],"suppressedExceptions":[]}'. {scriptName=services.com.example.HelloWorld.lifecycle.Run, serviceName=com.example.HelloWorld, currentState=RUNNING}
PS thanks so much for the help!
One issue you have is a malformed accessControl policy. Seems that the policy for mqttproxy, com.example.HelloWorld:pubsub:1 has "operations" which must be an array, but is just a single string. You then have a duplicated policy with the same name under pubsub. This is not allowed. The names must be unique.
I'd suggest resetting the configuration and only merging the mqttproxy related access control policy. The operation that you need is only aws.greengrass#PublishToIoTCore.
I think there's something I'm not understanding correctly. Seems like its attempting to load past policies, but as I understand because I have that reset parameter in there those should go away on deployment.
recipe
"ComponentConfiguration": {
"DefaultConfiguration": {
"reset": [
""
],
"accessControl": {
"aws.greengrass.ipc.mqttproxy": {
"com.example.HelloWorld:pubsub:4": {
"policyDescription": "Allows access to publish to my/topic.",
"operations": [
"aws.greengrass#PublishToIoTCore"
],
"resources": [
"my/topic"
]
}
}
}
}
}
error message
2021-02-18T19:01:30.197Z [ERROR] (Serialized listener processor) com.aws.greengrass.authorization.AuthorizationPolicyParser: load-authorization-config-deserialization-error. Unable to deserialize access control map services.com.example.HelloWorld.configuration.accessControl:{aws.greengrass.ipc.pubsub=services.com.example.HelloWorld.configuration.accessControl.aws.greengrass.ipc.pubsub:{com.example.HelloWorld:pubsub:1=services.com.example.HelloWorld.configuration.accessControl.aws.greengrass.ipc.pubsub.com.example.HelloWorld:pubsub:1:{operations=services.com.example.HelloWorld.configuration.accessControl.aws.greengrass.ipc.pubsub.com.example.HelloWorld:pubsub:1.operations:aws.greengrass#PublishToTopic, policyDescription=services.com.example.HelloWorld.configuration.accessControl.aws.greengrass.ipc.pubsub.com.example.HelloWorld:pubsub:1.policyDescription:Allows access to publish to test/topic., resources=services.com.example.HelloWorld.configuration.accessControl.aws.greengrass.ipc.pubsub.com.example.HelloWorld:pubsub:1.resources:my/topic}}, aws.greengrass.ipc.mqttproxy=services.com.example.HelloWorld.configuration.accessControl.aws.greengrass.ipc.mqttproxy:{com.example.HelloWorld:pubsub:3=services.com.example.HelloWorld.configuration.accessControl.aws.greengrass.ipc.mqttproxy.com.example.HelloWorld:pubsub:3:{operations=services.com.example.HelloWorld.configuration.accessControl.aws.greengrass.ipc.mqttproxy.com.example.HelloWorld:pubsub:3.operations:[aws.greengrass#PublishToTopic, aws.greengrass#PublishToIoTCore, aws.greengrass#GreengrassCoreIPC], policyDescription=services.com.example.HelloWorld.configuration.accessControl.aws.greengrass.ipc.mqttproxy.com.example.HelloWorld:pubsub:3.policyDescription:Allows access to publish to my/topic., resources=services.com.example.HelloWorld.configuration.accessControl.aws.greengrass.ipc.mqttproxy.com.example.HelloWorld:pubsub:3.resources:[my/topic]}, com.example.HelloWorld:pubsub:4=services.com.example.HelloWorld.configuration.accessControl.aws.greengrass.ipc.mqttproxy.com.example.HelloWorld:pubsub:4:{operations=services.com.example.HelloWorld.configuration.accessControl.aws.greengrass.ipc.mqttproxy.com.example.HelloWorld:pubsub:4.operations:[aws.greengrass#PublishToIoTCore], policyDescription=services.com.example.HelloWorld.configuration.accessControl.aws.greengrass.ipc.mqttproxy.com.example.HelloWorld:pubsub:4.policyDescription:Allows access to publish to my/topic., resources=services.com.example.HelloWorld.configuration.accessControl.aws.greengrass.ipc.mqttproxy.com.example.HelloWorld:pubsub:4.resources:[my/topic]}, com.example.HelloWorld:pubsub:1=services.com.example.HelloWorld.configuration.accessControl.aws.greengrass.ipc.mqttproxy.com.example.HelloWorld:pubsub:1:{operations=services.com.example.HelloWorld.configuration.accessControl.aws.greengrass.ipc.mqttproxy.com.example.HelloWorld:pubsub:1.operations:[aws.greengrass#PublishToTopic, aws.greengrass#PublishToIoTCore, aws.greengrass#GreengrassCoreIPC], policyDescription=services.com.example.HelloWorld.configuration.accessControl.aws.greengrass.ipc.mqttproxy.com.example.HelloWorld:pubsub:1.policyDescription:Allows access to publish to my/topic., resources=services.com.example.HelloWorld.configuration.accessControl.aws.greengrass.ipc.mqttproxy.com.example.HelloWorld:pubsub:1.resources:[my/topic]}, com.example.HelloWorld:pubsub:2=services.com.example.HelloWorld.configuration.accessControl.aws.greengrass.ipc.mqttproxy.com.example.HelloWorld:pubsub:2:{operations=services.com.example.HelloWorld.configuration.accessControl.aws.greengrass.ipc.mqttproxy.com.example.HelloWorld:pubsub:2.operations:[aws.greengrass#PublishToTopic, aws.greengrass#PublishToIoTCore, aws.greengrass#GreengrassCoreIPC], policyDescription=services.com.example.HelloWorld.configuration.accessControl.aws.greengrass.ipc.mqttproxy.com.example.HelloWorld:pubsub:2.policyDescription:Allows access to publish to my/topic., resources=services.com.example.HelloWorld.configuration.accessControl.aws.greengrass.ipc.mqttproxy.com.example.HelloWorld:pubsub:2.resources:[my/topic]}}} for com.example.HelloWorld. {}
Got it working! But doesn't make sense. I deployed 0 components and then deployed the mqtt component (hello world). Seems like the reset param isn't working as expected.
Putting reset into the component recipe does not do anything. Have a look at https://docs.aws.amazon.com/greengrass/v2/developerguide/update-component-configurations.html#reset-configuration-update for information about resetting deployments.
I read that but still unclear were that config is located (docs are for CLI but I'm using the console). I thought it brought over the settings from component config to deployment config but now thinking it is the "Reset paths" under "Configuration update".
Thanks so much for your help!!
Relevant content
- Accepted Answerasked a year ago
- Accepted Answerasked a year ago
- asked 5 months ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago