0

I have the following Greengrass V2 custom recipe:

---
RecipeFormatVersion: "2020-01-25"
ComponentName: com.savic.Telemetry
ComponentVersion: 1.0.12
ComponentDescription: Vehicle telemetry consisting of CAN and additional messages
ComponentPublisher: ##############
ComponentConfiguration:
  DefaultConfiguration:
    Environment: nonprod
    accessControl:
      aws.greengrass.ipc.mqttproxy:
        com.savic.Telemetry:pubsub:2:
          policyDescription: Allows access to publish to telemetry topic
          operations:
            - aws.greengrass#PublishToIoTCore
          resources:
            - savicmc/{configuration:/Environment}/telemetry/events
Manifests:
  - Platform:
      os: linux
    Lifecycle:
      Setenv:
        SAVICMC_ENV: "{configuration:/Environment}"
        SAVIC_SENDLOG_PATH: "/var/log/sendLog.txt"
        SAVIC_SAMPLE_RATE: 10
        SAVIC_TELEMETRY_TOPIC: "savicmc/{configuration:/Environment}/telemetry/events"
      Install:
        RequiresPrivilege: true
        script: python3 -m pip install --user awsiotsdk
      Run:
        RequiresPrivilege: true
        script: python3 -u {artifacts:path}/telemetry.py
    Artifacts:
      - Uri: s3://greengrass-components-#############-############/artifacts/com.savic.Telemetry/1.0.12/telemetry.py
        Permission:
          Execute: OWNER

NOTE: I also tried a variation of the accessControl:

  aws.greengrass.ipc.mqttproxy:
    com.savic.Telemetry:mqttproxy:2:

 ------ AND --------

  aws.greengrass.ipc.mqttproxy:
    com.savic.Telemetry:pubsub:2:

(note: pubsub vs. mqttproxy)

However, in my greengrass.log, I am continuously getting the following:

2022-01-24T06:29:45.178Z [INFO] (Thread-8) software.amazon.awssdk.eventstreamrpc.RpcServer: New connection code [AWS_ERROR_SUCCESS] for [Id 1141, Class ServerConnection, Refs 1](2022-01-24T06:29:45.178120Z) - <null>. {}
2022-01-24T06:29:45.181Z [INFO] (Thread-8) software.amazon.awssdk.eventstreamrpc.ServiceOperationMappingContinuationHandler: aws.greengrass#GreengrassCoreIPC authenticated identity: com.savic.Telemetry. {}
2022-01-24T06:29:45.184Z [INFO] (Thread-8) software.amazon.awssdk.eventstreamrpc.ServiceOperationMappingContinuationHandler: Connection accepted for com.savic.Telemetry. {}
2022-01-24T06:29:45.185Z [INFO] (Thread-8) software.amazon.awssdk.eventstreamrpc.ServiceOperationMappingContinuationHandler: Sending connect response for com.savic.Telemetry. {}
2022-01-24T06:29:45.191Z [INFO] (Thread-8) com.aws.greengrass.builtin.services.mqttproxy.MqttProxyIPCAgent: Not Authorized. {error=Principal com.savic.Telemetry is not authorized to perform aws.greengrass.ipc.mqttproxy:aws.greengrass#PublishToIoTCore on resource savicmc/nonprod/telemetry/events}

Note the:

com.aws.greengrass.builtin.services.mqttproxy.MqttProxyIPCAgent: Not Authorized. {error=Principal com.savic.Telemetry is not authorized to perform aws.greengrass.ipc.mqttproxy:aws.greengrass#PublishToIoTCore on resource savicmc/nonprod/telemetry/events}

My Thing device certificate also has a policy that allows iot:* and greengrass:* so from Policy/IAM perspective, I am allowed to publish.

Any ideas why I am getting the Not Authorized on the device?

Sash
  • 1,134
  • 11
  • 23

1 Answers1

0

Recipes variables are supported in only the lifecycle section of the recipe. As a result, the {configuration:/Environment} string in accessControl doesn't resolve to the value that you expect.

savicmc/{configuration:/Environment}/telemetry/events

You can change the default accessControl to use the value of Environment by default, so the component works as expected when you use the default values.

ComponentConfiguration:
  DefaultConfiguration:
    Environment: nonprod
    accessControl:
      aws.greengrass.ipc.mqttproxy:
        com.savic.Telemetry:pubsub:2:
          policyDescription: Allows access to publish to telemetry topic
          operations:
            - aws.greengrass#PublishToIoTCore
          resources:
            - savicmc/nonprod/telemetry/events

When you configure and deploy the component with a different value for Environment, you can also update the topic in accessControl. For example, you can specify the following configuration merge update to change Environment and the resource topic to prod.

{
  "Environment": "prod"
  "accessControl": {
    "aws.greengrass.ipc.mqttproxy": {
      "com.savic.Telemetry:pubsub:2": {
        "resources": {
          "savicmc/prod/telemetry/events
        }
      }
    }
  }
}
Finn Thompson
  • 116
  • 5
  • Thanks for that! I actually ended up figuring out both of your answers, shortly after I posted the question. First, I thought it was the recipe variables not evaluating inside accessControl - which didn't work for me, and then as you've pointed out, it was the merge that kept on stuffing me around as well. I have accepted this answer on both counts. Thank you. – Sash Jan 27 '22 at 02:20