AWS Greengrass V2 队列配置事物策略问题

问题描述 投票:0回答:3

我当前想要设置 GreengrassV2 队列配置(在所需端口打开的 EC2 实例上)。 我已经构建了证书并且配置了事物/核心设备。

我想让这个产品准备就绪,所以我使用了最小的 greengrass 核心物联网策略: https://docs.aws.amazon.com/greengrass/v2/developerguide/device-auth.html#greengrass-core-minimal-iot-policy

这是我的政策:

{
  "Statement": [
    {
      "Action": [
        "iot:Publish",
        "iot:Subscribe",
        "iot:Receive",
        "iot:Connect"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:iot:eu-central-1:123123123123:topic/data/${iot:Connection.Thing.ThingName}/*",
        "arn:aws:iot:eu-central-1:123123123123:topic/cmd/${iot:Connection.Thing.ThingName}/*"
      ]
    },
    {
      "Action": [
        "iot:Connect"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:iot:eu-central-1:123123123123:client/${iot:Connection.Thing.ThingName}*"
    },
    {
      "Action": [
        "iot:Subscribe"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:iot:eu-central-1:123123123123:topicfilter/$aws/things/${iot:Connection.Thing.ThingName}*/jobs/*",
        "arn:aws:iot:eu-central-1:123123123123:topicfilter/$aws/things/${iot:Connection.Thing.ThingName}*/shadow/*",
      ]
    },
    {
      "Action": [
        "iot:Receive",
        "iot:Publish"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:iot:eu-central-1:123123123123:topic/$aws/things/${iot:Connection.Thing.ThingName}*/greengrass/health/json",
        "arn:aws:iot:eu-central-1:123123123123:topic/$aws/things/${iot:Connection.Thing.ThingName}*/greengrassv2/health/json",
        "arn:aws:iot:eu-central-1:123123123123:topic/$aws/things/${iot:Connection.Thing.ThingName}*/jobs/*",
        "arn:aws:iot:eu-central-1:123123123123:topic/$aws/things/${iot:Connection.Thing.ThingName}*/shadow/*"
      ]
    },
    {
      "Action": [
        "greengrass:ResolveComponentCandidates",
        "greengrass:Get*",
        "greengrass:List*",
        "greengrass:Describe*",
        "greengrass:Resolve*",
        "greengrass:PutCertificateAuthorities"
      ],
      "Effect": "Allow",
      "Resource": "*"
    },
    {
      "Action": "iot:AssumeRoleWithCertificate",
      "Effect": "Allow",
      "Resource": "arn:aws:iot:eu-central-1:123123123123:rolealias/TerraformGreengrassCoreTokenExchangeRoleAlias"
    }
  ],
  "Version": "2012-10-17"
}

问题是我无法获得事物组的部署。 greengrass Core 设备总是断开连接 日志消息:

[...]
2023-01-05T08:58:18.602Z [DEBUG] (pool-2-thread-37) com.aws.greengrass.mqttclient.AwsIotMqttClient: Subscribing to topic. {clientId=TestCustomerCoreDevice, qos=AT_LEAST_ONCE, topic=$aws/things/TestCustomerCoreDevice/jobs/12312397-1d2d-1d2d-1d2d-01de629ddcf2/namespace-aws-gg-deployment/update/rejected}
com.aws.greengrass.mqtt.bridge.clients.MQTTClient: Unable to connect. Will be retried after 120 seconds
[...]

如果我现在允许订阅资源:

“arn:aws:iot:eu-central-1:123123123123:*”

它有效 - 但这不是我想要的生产。 我认为这与 topicfilter/$aws 资源有关,但我无法弄清楚问题是什么。

此后我还可以订阅主题 data/TestCustomerCoreDevice/test

有人知道如何解决这个问题吗?

提前致谢!

amazon-web-services aws-iot aws-iot-core aws-iot-greengrass
3个回答
1
投票

正如克里斯所写

我有同样的问题,发现政策变量 - 如 ${iot:Connection.Thing.ThingName} 不适用于 Greengrass Core 设备:docs.aws.amazon.com/greengrass/v2/developerguide/… 这意味着Greengrass 队列配置和所使用的策略只能具有 * 通配符,并且不能使用允许每个设备访问所有资源的变量来缩小范围。

0
投票

我清理了一些你的政策,因为它有重复的信息:

{
"Statement": [
  {
    "Action": [
      "iot:Connect"
    ],
    "Effect": "Allow",
    "Resource": "arn:aws:iot:eu-central-1:123123123123:client/${iot:Connection.Thing.ThingName}"
  },
  {
    "Action": [
      "iot:Subscribe"
    ],
    "Effect": "Allow",
    "Resource": [
      "arn:aws:iot:eu-central-1:123123123123:topicfilter/$aws/things/${iot:Connection.Thing.ThingName}/jobs/*",
      "arn:aws:iot:eu-central-1:123123123123:topicfilter/$aws/things/${iot:Connection.Thing.ThingName}/shadow/*"
    ]
  },
  {
    "Action": [
      "iot:Receive",
      "iot:Publish"
    ],
    "Effect": "Allow",
    "Resource": [
      "arn:aws:iot:eu-central-1:123123123123:topic/$aws/things/${iot:Connection.Thing.ThingName}/greengrass/health/json",
      "arn:aws:iot:eu-central-1:123123123123:topic/$aws/things/${iot:Connection.Thing.ThingName}/greengrassv2/health/json",
      "arn:aws:iot:eu-central-1:123123123123:topic/$aws/things/${iot:Connection.Thing.ThingName}/jobs/*",
      "arn:aws:iot:eu-central-1:123123123123:topic/$aws/things/${iot:Connection.Thing.ThingName}/shadow/*",
      "arn:aws:iot:eu-central-1:123123123123:topic/data/${iot:Connection.Thing.ThingName}/*",
      "arn:aws:iot:eu-central-1:123123123123:topic/cmd/${iot:Connection.Thing.ThingName}/*"
    ]
  },
  {
    "Action": [
      "greengrass:ResolveComponentCandidates",
      "greengrass:Get*",
      "greengrass:List*",
      "greengrass:Describe*",
      "greengrass:Resolve*",
      "greengrass:PutCertificateAuthorities"
    ],
    "Effect": "Allow",
    "Resource": "*"
  },
  {
    "Action": "iot:AssumeRoleWithCertificate",
    "Effect": "Allow",
    "Resource": "arn:aws:iot:eu-central-1:123123123123:rolealias/TerraformGreengrassCoreTokenExchangeRoleAlias"
  }
],
"Version": "2012-10-17"

}

0
投票

我调查了同样的问题,但我认为这不是正确的答案。

正如 @Kris 提到的,AWS 上有一份声明称这是不可能的,但我在我的树莓派上使用 greengrassV2 Core 进行了一些测试,我使用 aws 控制台通过自动配置进行部署。然后,我按照教程 Tutorial: Interact with local IoT devices over MQTT 进行操作,然后添加了一些带有变量的策略。我还将主题限制为核心设备事物的属性。这有效。

我已记录了所使用的政策和限制:

coreDeviceBase 策略用于与 IoT Core 的基本连接

coreDeviceClientSupport 策略特定于与 LocalThing 交互

localServiceBase 策略限制允许桥接的主题。

但是我在使用fleetprovisioning时遇到了与@DK_kbc相同的问题。所以现在我想弄清楚这是否真的是舰队配置的问题。

最新问题
© www.soinside.com 2019 - 2025. All rights reserved.