格林格拉斯V2不断地给我未经授权的MqttProxyIPCAgent

Question

我有以下格林格拉斯V2自定义食谱：

---
RecipeFormatVersion: "2020-01-25"
ComponentName: com.savic.Telemetry
ComponentVersion: 1.0.12
ComponentDescription: Vehicle telemetry consisting of CAN and additional messages
ComponentPublisher: ##############
ComponentConfiguration:
  DefaultConfiguration:
    Environment: nonprod
    accessControl:
      aws.greengrass.ipc.mqttproxy:
        com.savic.Telemetry:pubsub:2:
          policyDescription: Allows access to publish to telemetry topic
          operations:
            - aws.greengrass#PublishToIoTCore
          resources:
            - savicmc/{configuration:/Environment}/telemetry/events
Manifests:
  - Platform:
      os: linux
    Lifecycle:
      Setenv:
        SAVICMC_ENV: "{configuration:/Environment}"
        SAVIC_SENDLOG_PATH: "/var/log/sendLog.txt"
        SAVIC_SAMPLE_RATE: 10
        SAVIC_TELEMETRY_TOPIC: "savicmc/{configuration:/Environment}/telemetry/events"
      Install:
        RequiresPrivilege: true
        script: python3 -m pip install --user awsiotsdk
      Run:
        RequiresPrivilege: true
        script: python3 -u {artifacts:path}/telemetry.py
    Artifacts:
      - Uri: s3://greengrass-components-#############-############/artifacts/com.savic.Telemetry/1.0.12/telemetry.py
        Permission:
          Execute: OWNER

注意:我还尝试了accessControl的一个变体：

  aws.greengrass.ipc.mqttproxy:
    com.savic.Telemetry:mqttproxy:2:

 ------ AND --------

  aws.greengrass.ipc.mqttproxy:
    com.savic.Telemetry:pubsub:2:

(注: pubsub mqttproxy)

然而，在我的greengrass.log中，我不断地得到以下内容：

2022-01-24T06:29:45.178Z [INFO] (Thread-8) software.amazon.awssdk.eventstreamrpc.RpcServer: New connection code [AWS_ERROR_SUCCESS] for [Id 1141, Class ServerConnection, Refs 1](2022-01-24T06:29:45.178120Z) - <null>. {}
2022-01-24T06:29:45.181Z [INFO] (Thread-8) software.amazon.awssdk.eventstreamrpc.ServiceOperationMappingContinuationHandler: aws.greengrass#GreengrassCoreIPC authenticated identity: com.savic.Telemetry. {}
2022-01-24T06:29:45.184Z [INFO] (Thread-8) software.amazon.awssdk.eventstreamrpc.ServiceOperationMappingContinuationHandler: Connection accepted for com.savic.Telemetry. {}
2022-01-24T06:29:45.185Z [INFO] (Thread-8) software.amazon.awssdk.eventstreamrpc.ServiceOperationMappingContinuationHandler: Sending connect response for com.savic.Telemetry. {}
2022-01-24T06:29:45.191Z [INFO] (Thread-8) com.aws.greengrass.builtin.services.mqttproxy.MqttProxyIPCAgent: Not Authorized. {error=Principal com.savic.Telemetry is not authorized to perform aws.greengrass.ipc.mqttproxy:aws.greengrass#PublishToIoTCore on resource savicmc/nonprod/telemetry/events}

注意：

com.aws.greengrass.builtin.services.mqttproxy.MqttProxyIPCAgent: Not Authorized. {error=Principal com.savic.Telemetry is not authorized to perform aws.greengrass.ipc.mqttproxy:aws.greengrass#PublishToIoTCore on resource savicmc/nonprod/telemetry/events}

我的设备证书也有一个允许iot:*和greengrass:*的策略，所以从Policy/IAM的角度来看，我可以发布。

你知道我为什么要在设备上得到未经授权吗？

Answer 1

在食谱的生命周期部分中只支持食谱变量。因此，{configuration:/Environment}字符串在accessControl中不解析为您所期望的值。

savicmc/{configuration:/Environment}/telemetry/events

默认情况下，可以将默认accessControl更改为使用Environment值，因此组件在使用默认值时按预期工作。

ComponentConfiguration:
  DefaultConfiguration:
    Environment: nonprod
    accessControl:
      aws.greengrass.ipc.mqttproxy:
        com.savic.Telemetry:pubsub:2:
          policyDescription: Allows access to publish to telemetry topic
          operations:
            - aws.greengrass#PublishToIoTCore
          resources:
            - savicmc/nonprod/telemetry/events

当配置和部署组件具有不同的Environment值时，也可以在accessControl中更新主题。例如，可以指定以下配置合并更新将Environment和资源主题更改为prod。

{
  "Environment": "prod"
  "accessControl": {
    "aws.greengrass.ipc.mqttproxy": {
      "com.savic.Telemetry:pubsub:2": {
        "resources": {
          "savicmc/prod/telemetry/events
        }
      }
    }
  }
}