- Newest
- Most votes
- Most comments
How are you trying to access the shadow? I'm noticing that you are using the MQTT bridge component to bridge from PubSub to IoT Core. Generally you shouldn't need to do that, as components are able to publish directly to IoT Core. The Client Device Auth and MQTT Bridge components are only necessary if you are trying to connect external client devices to Greengrass.
Based on that stack trace, I suspect you are actually trying to access shadow from a component, using the GetThingShadow
IPC API. You can see the authorization failure log below:
com.aws.greengrass.shadowmanager.ipc.GetThingShadowRequestHandler: handle-get-thing-shadow. Not authorized to get shadow. {thing name=SliceOfPi, shadow name=count_topic} com.aws.greengrass.authorization.exceptions.AuthorizationException: Principal com.xxxxxxxxxx.productivity.cycle_count is not authorized to perform aws.greengrass.ShadowManager:aws.greengrass#GetThingShadow on resource $aws/things/SliceOfPi/shadow/name/count_topic
...
You can fix this by updating the accessControl section for the cycle_count
component.
https://docs.aws.amazon.com/greengrass/v2/developerguide/ipc-local-shadows.html#ipc-local-shadow-authorization
There are two sets of permissions needed. They ones you noted (thanks for the detail!) are from a component perspective, but not for how the Nucleus and ShadowManager component interact with AWS IoT.
Most likely the permissions are missing from the Role Alias, or the IoT policy associated with the core device. Please check and see for the Role Alias the permissions called out here, specifically for AllowGreengrassAccessToShadows
are included. If they are, check the IoT policy.
Please let me know if this addresses your problem of if you have other details.
Thanks @Gavin_A. I posted an "Answer" because the text was too long for a comment.
Too long to make this a comment. My service role currently looks like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowGreengrassAccessToShadows",
"Action": [
"iot:DeleteThingShadow",
"iot:GetThingShadow",
"iot:UpdateThingShadow"
],
"Effect": "Allow",
"Resource": [
"arn:aws:iot:*:*:thing/GG_*",
"arn:aws:iot:*:*:thing/*-gcm",
"arn:aws:iot:*:*:thing/*-gda",
"arn:aws:iot:*:*:thing/*-gci"
]
},
{
"Sid": "AllowGreengrassToDescribeThings",
"Action": [
"iot:DescribeThing"
],
"Effect": "Allow",
"Resource": "arn:aws:iot:*:*:thing/*"
},
{
"Sid": "AllowGreengrassToDescribeCertificates",
"Action": [
"iot:DescribeCertificate"
],
"Effect": "Allow",
"Resource": "arn:aws:iot:*:*:cert/*"
},
{
"Sid": "AllowGreengrassToCallGreengrassServices",
"Action": [
"greengrass:*"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Sid": "AllowGreengrassToGetLambdaFunctions",
"Action": [
"lambda:GetFunction",
"lambda:GetFunctionConfiguration"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Sid": "AllowGreengrassToGetGreengrassSecrets",
"Action": [
"secretsmanager:GetSecretValue"
],
"Effect": "Allow",
"Resource": "arn:aws:secretsmanager:*:*:secret:greengrass-*"
},
{
"Sid": "AllowGreengrassAccessToS3Objects",
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::*Greengrass*",
"arn:aws:s3:::*GreenGrass*",
"arn:aws:s3:::*greengrass*",
"arn:aws:s3:::*Sagemaker*",
"arn:aws:s3:::*SageMaker*",
"arn:aws:s3:::*sagemaker*"
]
},
{
"Sid": "AllowGreengrassAccessToS3BucketLocation",
"Action": [
"s3:GetBucketLocation"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Sid": "AllowGreengrassAccessToSageMakerTrainingJobs",
"Action": [
"sagemaker:DescribeTrainingJob"
],
"Effect": "Allow",
"Resource": [
"arn:aws:sagemaker:*:*:training-job/*"
]
}
]
}
Right at the top it looks like I am allowed shadow access.
The resources for the shadows actions looks to be different than one of the shadows you're trying to get. This is from your logs:
$aws/things/SliceOfPi/shadow/name/count_topic
,but the resource filters are:
"arn:aws:iot:*:*:thing/GG_*", "arn:aws:iot:*:*:thing/*-gcm", "arn:aws:iot:*:*:thing/*-gda", "arn:aws:iot:*:*:thing/*-gci"
which don't match. To test, try adding the resource
arn:aws:iot:*:*:thing/SliceOfPi
and see what the log file shows.
It appears that IPC permissions are missing for aws.greengrass#GetThingShadow
.
Please take a look at the following guide for allowing access: https://docs.aws.amazon.com/greengrass/v2/developerguide/ipc-local-shadows.html
Thank you for that. Where do these permissions go? ShadowManager? Auth? Bridge?
Relevant content
- asked a year ago
- asked 3 years ago
- asked a year ago
- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 5 months ago
OH MY GOSH!!! So helpful!!! WOW! I thought the bridge and auth was necessary for that based on some AWS tutorials. Thanks a BUNCH for clearing that up.
This was super helpful. Part of the key was that I don't need auth, bridge. That simplified things quite a bit and cleared my confusion up. The link referenced was also pointed to by @Joseph Cosentino. The gamechanger was simplifying.