堆棧內存溢出
  簡體   English   中英

AWS Greengrass V2 Fleet Provisioning 事物策略問題

[英]AWS Greengrass V2 Fleet Provisioning thing policy problem

 原文  2023-01-05 09:24:15       amazon-web-services/ aws-iot/ aws-iot-core/ greengrass/ aws-iot-greengrass

問題描述

我目前想要設置 GreengrassV2 隊列配置(在所需端口打開的 EC2 實例上)。 我已經構建了證書並配置了事物/核心設備。

我想讓這個生產就緒,所以我使用了最小的 greengrass 核心物聯網策略: https://docs.aws.amazon.com/greengrass/v2/developerguide/device-auth.html#greengrass-core-minimal-iot -政策

這是我的政策:

{
  "Statement": [
    {
      "Action": [
        "iot:Publish",
        "iot:Subscribe",
        "iot:Receive",
        "iot:Connect"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:iot:eu-central-1:123123123123:topic/data/${iot:Connection.Thing.ThingName}/*",
        "arn:aws:iot:eu-central-1:123123123123:topic/cmd/${iot:Connection.Thing.ThingName}/*"
      ]
    },
    {
      "Action": [
        "iot:Connect"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:iot:eu-central-1:123123123123:client/${iot:Connection.Thing.ThingName}*"
    },
    {
      "Action": [
        "iot:Subscribe"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:iot:eu-central-1:123123123123:topicfilter/$aws/things/${iot:Connection.Thing.ThingName}*/jobs/*",
        "arn:aws:iot:eu-central-1:123123123123:topicfilter/$aws/things/${iot:Connection.Thing.ThingName}*/shadow/*",
      ]
    },
    {
      "Action": [
        "iot:Receive",
        "iot:Publish"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:iot:eu-central-1:123123123123:topic/$aws/things/${iot:Connection.Thing.ThingName}*/greengrass/health/json",
        "arn:aws:iot:eu-central-1:123123123123:topic/$aws/things/${iot:Connection.Thing.ThingName}*/greengrassv2/health/json",
        "arn:aws:iot:eu-central-1:123123123123:topic/$aws/things/${iot:Connection.Thing.ThingName}*/jobs/*",
        "arn:aws:iot:eu-central-1:123123123123:topic/$aws/things/${iot:Connection.Thing.ThingName}*/shadow/*"
      ]
    },
    {
      "Action": [
        "greengrass:ResolveComponentCandidates",
        "greengrass:Get*",
        "greengrass:List*",
        "greengrass:Describe*",
        "greengrass:Resolve*",
        "greengrass:PutCertificateAuthorities"
      ],
      "Effect": "Allow",
      "Resource": "*"
    },
    {
      "Action": "iot:AssumeRoleWithCertificate",
      "Effect": "Allow",
      "Resource": "arn:aws:iot:eu-central-1:123123123123:rolealias/TerraformGreengrassCoreTokenExchangeRoleAlias"
    }
  ],
  "Version": "2012-10-17"
}

問題是我無法獲得事物組的部署。 greengrass 核心設備總是斷開連接日志消息:

[...]
2023-01-05T08:58:18.602Z [DEBUG] (pool-2-thread-37) com.aws.greengrass.mqttclient.AwsIotMqttClient: Subscribing to topic. {clientId=TestCustomerCoreDevice, qos=AT_LEAST_ONCE, topic=$aws/things/TestCustomerCoreDevice/jobs/12312397-1d2d-1d2d-1d2d-01de629ddcf2/namespace-aws-gg-deployment/update/rejected}
com.aws.greengrass.mqtt.bridge.clients.MQTTClient: Unable to connect. Will be retried after 120 seconds
[...]

如果我現在允許訂閱資源:

“arn:aws:iot:eu-central-1:123123123123:*”

它有效 - 但這不是我想要的生產。 我認為這與 topicfilter/$aws 資源有關,但我無法弄清楚問題是什么。

之后我還可以訂閱主題 data/TestCustomerCoreDevice/test

有人知道如何解決這個問題嗎?

提前致謝!

1 個解決方案

解決方案1
 0  2023-01-05 09:50:54

我清理了一些你的政策,因為它有點重復信息:

{
"Statement": [
  {
    "Action": [
      "iot:Connect"
    ],
    "Effect": "Allow",
    "Resource": "arn:aws:iot:eu-central-1:123123123123:client/${iot:Connection.Thing.ThingName}"
  },
  {
    "Action": [
      "iot:Subscribe"
    ],
    "Effect": "Allow",
    "Resource": [
      "arn:aws:iot:eu-central-1:123123123123:topicfilter/$aws/things/${iot:Connection.Thing.ThingName}/jobs/*",
      "arn:aws:iot:eu-central-1:123123123123:topicfilter/$aws/things/${iot:Connection.Thing.ThingName}/shadow/*"
    ]
  },
  {
    "Action": [
      "iot:Receive",
      "iot:Publish"
    ],
    "Effect": "Allow",
    "Resource": [
      "arn:aws:iot:eu-central-1:123123123123:topic/$aws/things/${iot:Connection.Thing.ThingName}/greengrass/health/json",
      "arn:aws:iot:eu-central-1:123123123123:topic/$aws/things/${iot:Connection.Thing.ThingName}/greengrassv2/health/json",
      "arn:aws:iot:eu-central-1:123123123123:topic/$aws/things/${iot:Connection.Thing.ThingName}/jobs/*",
      "arn:aws:iot:eu-central-1:123123123123:topic/$aws/things/${iot:Connection.Thing.ThingName}/shadow/*",
      "arn:aws:iot:eu-central-1:123123123123:topic/data/${iot:Connection.Thing.ThingName}/*",
      "arn:aws:iot:eu-central-1:123123123123:topic/cmd/${iot:Connection.Thing.ThingName}/*"
    ]
  },
  {
    "Action": [
      "greengrass:ResolveComponentCandidates",
      "greengrass:Get*",
      "greengrass:List*",
      "greengrass:Describe*",
      "greengrass:Resolve*",
      "greengrass:PutCertificateAuthorities"
    ],
    "Effect": "Allow",
    "Resource": "*"
  },
  {
    "Action": "iot:AssumeRoleWithCertificate",
    "Effect": "Allow",
    "Resource": "arn:aws:iot:eu-central-1:123123123123:rolealias/TerraformGreengrassCoreTokenExchangeRoleAlias"
  }
],
"Version": "2012-10-17"

}

暫無
暫無

聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.

相關問題 aws-iot-sdk-v2 JS 的 AWS Greengrass V2 節點發布問題 為什么 AWS 隊列配置插件不在雲中創建 Greengrass Core 設備? Greengrass V2 生成額外的“stdout”日志 AWS GoLang SDK 版本 2 和物聯網核心隊列配置 AWS Java SDK V2中的package software.amazon.awssdk.core.auth.policy go在哪里? 滿足某些條件時獲取 greengrass v2 作業(組件更新) 關閉 AWS 中的 IdleConnectionReaper Java SDK v2 terraform aws serverless v2 多可用區 如何從 AWS WAF v1 升級到 WAF V2 從 AWS Aurora Serverless v1 升級到 v2 失敗
相關標簽
 
粵ICP備18138465號  © 2020-2024 STACKOOM.COM