By using AWS re:Post, you agree to the AWS re:Post Terms of Use

Greengrass subscribe to wildcard topic - authorization failure

0

We are attempting to subscribe to a wildcard topic: test/things/+/topic

Our accessControl has the following poicy:

"accessControl": {
  "aws.greengrass.ipc.pubsub": {
    "com.component.test:pubsub:1": {
      "policyDescription": "test policy",
      "operations": [
        "aws.greengrass#SubscribeToTopic"
      ],
      "resources": [
        "test/things/+/topic"
      ]
    }
  }
}

But we're getting the following error saying the component is not authorized to subscribe to that topic:

2023-10-27T21:54:49.498Z [INFO] (Copier) com.component.test: stdout. {'time':'2023-10-27 14:54:49,498', 'name': 'awsiot.eventstreamrpc', 'level': '20', 'msg': '<awsiot.greengrasscoreipc.client.SubscribeToTopicOperation object at 0x0000021FE84FDEA0> received #1 APPLICATION_ERROR [Header(':content-type', 'application/json', <HeaderType.STRING: 7>), Header('service-model-type', 'aws.greengrass#UnauthorizedError', <HeaderType.STRING: 7>), Header(':message-type', 1, <HeaderType.INT32: 4>), Header(':message-flags', 2, <HeaderType.INT32: 4>), Header(':stream-id', 1, <HeaderType.INT32: 4>)] b'{"message":"Principal com.component.test is not authorized to perform aws.greengrass.ipc.pubsub:aws.greengrass#SubscribeToTopic on resource test/things/+/topic","_service":"aws.greengrass#GreengrassCoreIPC","_message":"*Principal com.component.test is not authorized to perform aws.greengrass.ipc.pubsub:aws.greengrass#SubscribeToTopic on resource test/things/+/topic*","_errorCode":"UnauthorizedError"}''}. {scriptName=services.com.component.test.lifecycle.Run.Script, serviceName=com.component.test, currentState=RUNNING}

This code works when we don't use wildcards.

Using Nucleus 2.11.2 and awsiotsdk==1.11.9, which supports Wildcards per https://docs.aws.amazon.com/greengrass/v2/developerguide/ipc-publish-subscribe.html

asked a year ago328 views
1 Answer
2
Accepted Answer

Hello,

Please make sure the access control is properly formed. What you posted excludes the service which must be aws.greengrass.ipc.pubsub. See the examples provided in https://docs.aws.amazon.com/greengrass/v2/developerguide/ipc-publish-subscribe.html#ipc-publish-subscribe-authorization.

Ex:

"aws.greengrass.ipc.pubsub": {
  "com.component.test:pubsub:1": {
    "policyDescription": "test policy",
    "operations": [
      "aws.greengrass#SubscribeToTopic"
    ],
    "resources": [
      "test/things/+/topic"
    ]
  }
}

If you are changing the default configuration in your component, then make sure that you deploy the new default configuration values by using reset: [""] in the deployment configuration update.

Also ensure that the policy name is unique within the device.

Cheers,

Michael

AWS
EXPERT
answered a year ago
profile pictureAWS
EXPERT
reviewed a year ago
  • I excluded the top level part of the object, let me update. It includes what you mentioned above. The policy name is unique. Again, everything works when we don't use wildcards.

  • Using the greengrass local CLI or local debug console, please look at the active configuration for this component and post it.

  • I was just able to verify myself using Nucleus 2.11.3 (which has no changes relevant to this compared to 2.11.2). I am able to subscribe to test/things/+/topic when authorized only for subscribe to topic with test/things/+/topic as the resource.

  • Yep, the active configuration was not updated correctly. IoT Core showed the correct default settings, but when we looked at the local config via the CLI is was showing the old version. This appears to be a problem in our deployment pipeline.

    Thank you for your help! Marking as resolved.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions