- Newest
- Most votes
- Most comments
Hi, in order to scale policies with Greengrass you can leverage Certificate policy variables. They work in the same way as thing policy variables but their values are sourced from the device certificate.
The only thing you cannot scope down via policy variables is the iot:Connect
resource. Greengrass might create multiple MQTT connections, and these connections use clientId based on the thing name but with a postfix (eg coredevice
, coredevice-1
, etc).
To scope down this action, craft a separate policy or each of the Greengrass Core device containing only the iot:Connect
action and a specific resource as shown below. Attach the policy to the certificate together with the other policies.
The policy is similar to the following, where <thingName>
should be replaced with the literal thing name of the core device.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iot:Connect"
],
"Resource": [
"arn:aws:iot:region:account:client/<thingName>*"
]
}
}
Relevant content
- Accepted Answerasked 8 months ago
- Accepted Answerasked 2 years ago
- asked 3 years ago
- AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated 5 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
Policy variables don't seem to have much use as the certificate properties are set by the certificate issuer, thus I do not have ability to set them according to my needs and cannot set the serial number(thing name) according to my design. So this means the policy specified in Greengrass fleet provisioning template needs to use * wildcard for thingNames? This in turn would also mean that by using provisioning template, each Greengrass device in a fleet will have the same permissions to access everything and then components, client devices and any other software running on the device (either using IPC to GGC or proprietary MQTT software client using the same thing certificate) will need to publish and subscribe to relevant topics explicitly. Creating additional policy to scope down the permissions to a <thingName*> requires additional manual or eventually programmatic operation which I wanted to avoid by specifying this in provisioning template's policy resource.
You do have the ability to set certificate fields including common name among others. Certificates can be generated using a certificate signing request (CSR) which you have full control over.