Permissions needed to get shadow from IOT Core from a greengrass code device

Question

I am trying to get a shadow named `cycle_topic` from AWS IOT thing definition. The permissions/configurations are what are tripping me up. It seems to me that I have a correct permission in ShadowManager for `SliceOfPi` thing to get `count_topic`. I am believing that this is a permission issue. What is wrong with my config?

I have the following configs for the following components:

Configure aws.greengrass.clientdevices.mqtt.Bridge:

```
{
  "reset": [],
  "merge": {
    "mqttTopicMapping": {
      "HelloWorldIotCoreMapping": {
        "topic": "#",
        "source": "Pubsub",
        "target": "IotCore"
      }
    },
    "ShadowsPubsubToLocalMqtt": {
      "topic": "$aws/things/+/shadow/#",
      "source": "Pubsub",
      "target": "LocalMqtt"
    }
  }
}
```

Configure aws.greengrass.clientdevices.Auth:

```
{
  "reset": [],
  "merge": {
    "deviceGroups": {
      "formatVersion": "2021-03-05",
      "definitions": {
        "MyPermissiveDeviceGroup": {
          "selectionRule": "thingName: *",
          "policyName": "MyPermissivePolicy"
        }
      },
      "policies": {
        "MyPermissivePolicy": {
          "AllowAll": {
            "statementDescription": "Allow client devices to perform all actions.",
            "operations": [
              "*"
            ],
            "resources": [
              "*"
            ]
          }
        }
      }
    }
  }
}
```

aws.greengrass.ShadowManager:

```
{
  "reset": [],
  "merge": {
    "strategy": {
      "type": "realTime"
    },
    "synchronize": {
      "coreThing": {
        "classic": true,
        "namedShadows": [
          "count_topic"
        ]
      },
      "shadowDocuments": [
        {
          "thingName": "SliceOfPi",
          "classic": true,
          "namedShadows": [
            "count_topic"
          ]
        }
      ],
      "direction": "cloudToDevice"
    }
  }
}
```

The error I am getting in greengrass.log is:

> 2022-09-20T21:51:46.237Z [WARN] (Thread-4) com.aws.greengrass.shadowmanager.ipc.GetThingShadowRequestHandler: handle-get-thing-shadow. Not authorized to get shadow. {thing name=SliceOfPi, shadow name=count_topic}
com.aws.greengrass.authorization.exceptions.AuthorizationException: Principal com.xxxxxxxxxx.productivity.cycle_count is not authorized to perform aws.greengrass.ShadowManager:aws.greengrass#GetThingShadow on resource $aws/things/SliceOfPi/shadow/name/count_topic
        at com.aws.greengrass.authorization.AuthorizationHandler.isAuthorized(AuthorizationHandler.java:247)
        at com.aws.greengrass.authorization.AuthorizationHandler.isAuthorized(AuthorizationHandler.java:255)
        at com.aws.greengrass.shadowmanager.AuthorizationHandlerWrapper.doAuthorization(AuthorizationHandlerWrapper.java:73)
        at com.aws.greengrass.shadowmanager.AuthorizationHandlerWrapper.doAuthorization(AuthorizationHandlerWrapper.java:56)
        at com.aws.greengrass.shadowmanager.ipc.GetThingShadowRequestHandler.lambda$handleRequest$0(GetThingShadowRequestHandler.java:87)
        at com.aws.greengrass.ipc.common.ExceptionUtil.translateExceptions(ExceptionUtil.java:33)
        at com.aws.greengrass.shadowmanager.ipc.GetThingShadowRequestHandler.handleRequest(GetThingShadowRequestHandler.java:75)
        at com.aws.greengrass.shadowmanager.ipc.GetThingShadowIPCHandler.handleRequest(GetThingShadowIPCHandler.java:82)
        at com.aws.greengrass.shadowmanager.ipc.GetThingShadowIPCHandler.handleRequest(GetThingShadowIPCHandler.java:28)
        at software.amazon.awssdk.eventstreamrpc.OperationContinuationHandler.onContinuationMessage(OperationContinuationHandler.java:291)
        at software.amazon.awssdk.crt.eventstream.ServerConnectionContinuationHandler.onContinuationMessageShim(ServerConnectionContinuationHandler.java:53)

Accepted Answer

How are you trying to access the shadow? I'm noticing that you are using the MQTT bridge component to bridge from PubSub to IoT Core. Generally you shouldn't need to do that, as components are able to publish directly to IoT Core. The Client Device Auth and MQTT Bridge components are only necessary if you are trying to connect external client devices to Greengrass.

Based on that stack trace, I suspect you are actually trying to access shadow from a component, using the `GetThingShadow` IPC API. You can see the authorization failure log below:

```
com.aws.greengrass.shadowmanager.ipc.GetThingShadowRequestHandler: handle-get-thing-shadow. Not authorized to get shadow. {thing name=SliceOfPi, shadow name=count_topic} com.aws.greengrass.authorization.exceptions.AuthorizationException: Principal com.xxxxxxxxxx.productivity.cycle_count is not authorized to perform aws.greengrass.ShadowManager:aws.greengrass#GetThingShadow on resource $aws/things/SliceOfPi/shadow/name/count_topic
...
```

You can fix this by updating the accessControl section for the `cycle_count` component.
https://docs.aws.amazon.com/greengrass/v2/developerguide/ipc-local-shadows.html#ipc-local-shadow-authorization

Answer

There are two sets of permissions needed. They ones you noted (thanks for the detail!) are from a component perspective, but not for _how_ the Nucleus and ShadowManager component interact with AWS IoT.

Most likely the permissions are missing from the Role Alias, or the IoT policy associated with the core device. Please check and see for the Role Alias the permissions called out [here](https://docs.aws.amazon.com/greengrass/v2/developerguide/security-iam-aws-managed-policies.html#aws-managed-policies-AWSGreengrassResourceAccessRolePolicy), specifically for `AllowGreengrassAccessToShadows` are included. If they are, check the IoT policy.

Please let me know if this addresses your problem of if you have other details.

Answer

It appears that IPC permissions are missing for `aws.greengrass#GetThingShadow`.

Please take a look at the following guide for allowing access: https://docs.aws.amazon.com/greengrass/v2/developerguide/ipc-local-shadows.html

Answer

Too long to make this a comment.
My service role currently looks like this:

```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowGreengrassAccessToShadows",
            "Action": [
                "iot:DeleteThingShadow",
                "iot:GetThingShadow",
                "iot:UpdateThingShadow"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:iot:*:*:thing/GG_*",
                "arn:aws:iot:*:*:thing/*-gcm",
                "arn:aws:iot:*:*:thing/*-gda",
                "arn:aws:iot:*:*:thing/*-gci"
            ]
        },
        {
            "Sid": "AllowGreengrassToDescribeThings",
            "Action": [
                "iot:DescribeThing"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:iot:*:*:thing/*"
        },
        {
            "Sid": "AllowGreengrassToDescribeCertificates",
            "Action": [
                "iot:DescribeCertificate"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:iot:*:*:cert/*"
        },
        {
            "Sid": "AllowGreengrassToCallGreengrassServices",
            "Action": [
                "greengrass:*"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Sid": "AllowGreengrassToGetLambdaFunctions",
            "Action": [
                "lambda:GetFunction",
                "lambda:GetFunctionConfiguration"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Sid": "AllowGreengrassToGetGreengrassSecrets",
            "Action": [
                "secretsmanager:GetSecretValue"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:secretsmanager:*:*:secret:greengrass-*"
        },
        {
            "Sid": "AllowGreengrassAccessToS3Objects",
            "Action": [
                "s3:GetObject"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::*Greengrass*",
                "arn:aws:s3:::*GreenGrass*",
                "arn:aws:s3:::*greengrass*",
                "arn:aws:s3:::*Sagemaker*",
                "arn:aws:s3:::*SageMaker*",
                "arn:aws:s3:::*sagemaker*"
            ]
        },
        {
            "Sid": "AllowGreengrassAccessToS3BucketLocation",
            "Action": [
                "s3:GetBucketLocation"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Sid": "AllowGreengrassAccessToSageMakerTrainingJobs",
            "Action": [
                "sagemaker:DescribeTrainingJob"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:sagemaker:*:*:training-job/*"
            ]
        }
    ]
}
```

Right at the top it looks like I am allowed shadow access.

Permissions needed to get shadow from IOT Core from a greengrass code device

相關內容