AWS Greengrass V2 Fleet Provisioning thing policy problem

Question

i currently want to setup a GreengrassV2 fleet provisioning (on an EC2 Instance where needed ports are open). I've build the certificate and the thing/core device gets provisioned.

I want to make this Production Ready so i've used the minimal greengrass core iot policy: https://docs.aws.amazon.com/greengrass/v2/developerguide/device-auth.html#greengrass-core-minimal-iot-policy

here is my policy:

{
  "Statement": [
    {
      "Action": [
        "iot:Publish",
        "iot:Subscribe",
        "iot:Receive",
        "iot:Connect"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:iot:eu-central-1:123123123123:topic/data/${iot:Connection.Thing.ThingName}/*",
        "arn:aws:iot:eu-central-1:123123123123:topic/cmd/${iot:Connection.Thing.ThingName}/*"
      ]
    },
    {
      "Action": [
        "iot:Connect"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:iot:eu-central-1:123123123123:client/${iot:Connection.Thing.ThingName}*"
    },
    {
      "Action": [
        "iot:Subscribe"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:iot:eu-central-1:123123123123:topicfilter/$aws/things/${iot:Connection.Thing.ThingName}*/jobs/*",
        "arn:aws:iot:eu-central-1:123123123123:topicfilter/$aws/things/${iot:Connection.Thing.ThingName}*/shadow/*",
      ]
    },
    {
      "Action": [
        "iot:Receive",
        "iot:Publish"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:iot:eu-central-1:123123123123:topic/$aws/things/${iot:Connection.Thing.ThingName}*/greengrass/health/json",
        "arn:aws:iot:eu-central-1:123123123123:topic/$aws/things/${iot:Connection.Thing.ThingName}*/greengrassv2/health/json",
        "arn:aws:iot:eu-central-1:123123123123:topic/$aws/things/${iot:Connection.Thing.ThingName}*/jobs/*",
        "arn:aws:iot:eu-central-1:123123123123:topic/$aws/things/${iot:Connection.Thing.ThingName}*/shadow/*"
      ]
    },
    {
      "Action": [
        "greengrass:ResolveComponentCandidates",
        "greengrass:Get*",
        "greengrass:List*",
        "greengrass:Describe*",
        "greengrass:Resolve*",
        "greengrass:PutCertificateAuthorities"
      ],
      "Effect": "Allow",
      "Resource": "*"
    },
    {
      "Action": "iot:AssumeRoleWithCertificate",
      "Effect": "Allow",
      "Resource": "arn:aws:iot:eu-central-1:123123123123:rolealias/TerraformGreengrassCoreTokenExchangeRoleAlias"
    }
  ],
  "Version": "2012-10-17"
}

The issue is i can not get the deployment for the thing group. The greengrass Core device always disconnects Log Message:

[...]
2023-01-05T08:58:18.602Z [DEBUG] (pool-2-thread-37) com.aws.greengrass.mqttclient.AwsIotMqttClient: Subscribing to topic. {clientId=TestCustomerCoreDevice, qos=AT_LEAST_ONCE, topic=$aws/things/TestCustomerCoreDevice/jobs/12312397-1d2d-1d2d-1d2d-01de629ddcf2/namespace-aws-gg-deployment/update/rejected}
com.aws.greengrass.mqtt.bridge.clients.MQTTClient: Unable to connect. Will be retried after 120 seconds
[...]

if i now allow subscribe to the resource:

"arn:aws:iot:eu-central-1:123123123123:*"

it works - however this is not what i want for production. i think it hast to do with the topicfilter/$aws resources but i can not figure out what the issue is.

After this i can also subscribe to the topic data/TestCustomerCoreDevice/test

Does somebody know how to resolve this issue?

thanks in advance!

score 1 · Accepted Answer · answered Feb 21 '23 at 07:35

as Kris wrote

I have the same problem and found out that policy variables - like ${iot:Connection.Thing.ThingName} do not work with Greengrass Core devices: docs.aws.amazon.com/greengrass/v2/developerguide/… This would mean Greengrass fleet provisioning and the policy being used can only have * wildcards and cannot be scoped down with variables giving every device access to all resources.

score 0 · Answer 2 · answered Jan 05 '23 at 09:50

I cleaned up a bit your policy since it was kind of having duplicate information:

{
"Statement": [
  {
    "Action": [
      "iot:Connect"
    ],
    "Effect": "Allow",
    "Resource": "arn:aws:iot:eu-central-1:123123123123:client/${iot:Connection.Thing.ThingName}"
  },
  {
    "Action": [
      "iot:Subscribe"
    ],
    "Effect": "Allow",
    "Resource": [
      "arn:aws:iot:eu-central-1:123123123123:topicfilter/$aws/things/${iot:Connection.Thing.ThingName}/jobs/*",
      "arn:aws:iot:eu-central-1:123123123123:topicfilter/$aws/things/${iot:Connection.Thing.ThingName}/shadow/*"
    ]
  },
  {
    "Action": [
      "iot:Receive",
      "iot:Publish"
    ],
    "Effect": "Allow",
    "Resource": [
      "arn:aws:iot:eu-central-1:123123123123:topic/$aws/things/${iot:Connection.Thing.ThingName}/greengrass/health/json",
      "arn:aws:iot:eu-central-1:123123123123:topic/$aws/things/${iot:Connection.Thing.ThingName}/greengrassv2/health/json",
      "arn:aws:iot:eu-central-1:123123123123:topic/$aws/things/${iot:Connection.Thing.ThingName}/jobs/*",
      "arn:aws:iot:eu-central-1:123123123123:topic/$aws/things/${iot:Connection.Thing.ThingName}/shadow/*",
      "arn:aws:iot:eu-central-1:123123123123:topic/data/${iot:Connection.Thing.ThingName}/*",
      "arn:aws:iot:eu-central-1:123123123123:topic/cmd/${iot:Connection.Thing.ThingName}/*"
    ]
  },
  {
    "Action": [
      "greengrass:ResolveComponentCandidates",
      "greengrass:Get*",
      "greengrass:List*",
      "greengrass:Describe*",
      "greengrass:Resolve*",
      "greengrass:PutCertificateAuthorities"
    ],
    "Effect": "Allow",
    "Resource": "*"
  },
  {
    "Action": "iot:AssumeRoleWithCertificate",
    "Effect": "Allow",
    "Resource": "arn:aws:iot:eu-central-1:123123123123:rolealias/TerraformGreengrassCoreTokenExchangeRoleAlias"
  }
],
"Version": "2012-10-17"

}

I have the same problem and found out that policy variables - like ${iot:Connection.Thing.ThingName} do not work with Greengrass Core devices: https://docs.aws.amazon.com/greengrass/v2/developerguide/device-auth.html#:~:text=Developer%20Guide.-,Important,-Thing%20policy%20variables This would mean Greengrass fleet provisioning and the policy being used can only have * wildcards and cannot be scoped down with variables giving every device access to all resources. — Kris, Feb 09 '23 at 16:07

score 0 · Answer 3 · answered Aug 16 '23 at 09:59

I have investigated the same issue and I don't think this is the correct answer.

As @Kris mentioned, there is a statement on AWS that this is not possible but I made some tests with a greengrassV2 Core on my raspberry pi which i deployed by automatic porvisioning using the aws console. I then followed the tutorial for Tutorial: Interact with local IoT devices over MQTT and then added some policies with variables. I also restricted the topic to an attribute of the core device thing. And this works.

I have documented the policies and restrictions used:

The coreDeviceBase Policy is for basic Connection to IoT Core

The coreDeviceClientSupport Policy is specific for interacting with LocalThing

The localServiceBase Policy is restricting topics that are allowed to bridge.

But I have the same problems as @DK_kbc while using fleetprovisioning. So right now im trying to figure if it is really a problem with fleetprovisioning.

Did a test with fleetprovisioned coredevice and this also works with the variables. — SanHolo, Aug 16 '23 at 13:31

AWS Greengrass V2 Fleet Provisioning thing policy problem

3 Answers3