By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Greengrass v2 fleet provisioning - how to scale authorization policies.

0

I will have a fleet of Greengrass v2 devices which will be deployed to production environments using fleet provisioning pattern. In the provisioning template I will specify a common IoT policy I have created for the devices. Each device will have its own serial number, which will also be the thing's name and I want this serial number(thing name) to be used as a topic filters in the mentioned IoT policy so the Greengrass and other components on the device can only communicate on topics relevant to them. I want to use ${iot:Connection.Thing.ThingName}* variable to filter the topics but:

The documentation for Greengrass v2 states:

Important Thing policy variables (iot:Connection.Thing.) aren't supported for in AWS IoT policies for core devices or Greengrass data plane operations. Instead, you can use a wildcard that matches multiple devices that have similar names. For example, you can specify MyGreengrassDevice to match MyGreengrassDevice1, MyGreengrassDevice2, and so on.

Does this mean the ${iot:Connection.Thing.ThingName}* variable specified in my common policy in provisioning template won't work and my Greengras Core devices will not be able to communicate with IoT Core?

If so, how can I achieve IoT policy authorization scaling with Greengrass devices? The suggested solution - to specify * wildcard will match any serial number and thus will not be secure enough.

Topics
Internet of Things (IoT)
Tags
AWS IoT GreengrassAWS IoT Core
Language
English
K676
asked a year ago326 views
1 Answer
0

Hi, in order to scale policies with Greengrass you can leverage Certificate policy variables. They work in the same way as thing policy variables but their values are sourced from the device certificate.

The only thing you cannot scope down via policy variables is the iot:Connect resource. Greengrass might create multiple MQTT connections, and these connections use clientId based on the thing name but with a postfix (eg coredevice, coredevice-1, etc).

To scope down this action, craft a separate policy or each of the Greengrass Core device containing only the iot:Connect action and a specific resource as shown below. Attach the policy to the certificate together with the other policies.

The policy is similar to the following, where <thingName> should be replaced with the literal thing name of the core device.

{
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Action": [
          "iot:Connect"
        ],
        "Resource": [
            "arn:aws:iot:region:account:client/<thingName>*"
        ]
      }
}
AWS
EXPERT
MassimilianoAWS
answered a year ago
  • K676
    a year ago

    Policy variables don't seem to have much use as the certificate properties are set by the certificate issuer, thus I do not have ability to set them according to my needs and cannot set the serial number(thing name) according to my design. So this means the policy specified in Greengrass fleet provisioning template needs to use * wildcard for thingNames? This in turn would also mean that by using provisioning template, each Greengrass device in a fleet will have the same permissions to access everything and then components, client devices and any other software running on the device (either using IPC to GGC or proprietary MQTT software client using the same thing certificate) will need to publish and subscribe to relevant topics explicitly. Creating additional policy to scope down the permissions to a <thingName*> requires additional manual or eventually programmatic operation which I wanted to avoid by specifying this in provisioning template's policy resource.

  • MichaelDombrowski-AWS EXPERT
    a year ago

    You do have the ability to set certificate fields including common name among others. Certificates can be generated using a certificate signing request (CSR) which you have full control over.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content