Greengrass V2 不断给我 MqttProxyIPCAgent Not Authorized

Greengrass V2 continuously giving me MqttProxyIPCAgent Not Authorized

我有以下 Greengrass V2 自定义配方:

---
RecipeFormatVersion: "2020-01-25"
ComponentName: com.savic.Telemetry
ComponentVersion: 1.0.12
ComponentDescription: Vehicle telemetry consisting of CAN and additional messages
ComponentPublisher: ##############
ComponentConfiguration:
  DefaultConfiguration:
    Environment: nonprod
    accessControl:
      aws.greengrass.ipc.mqttproxy:
        com.savic.Telemetry:pubsub:2:
          policyDescription: Allows access to publish to telemetry topic
          operations:
            - aws.greengrass#PublishToIoTCore
          resources:
            - savicmc/{configuration:/Environment}/telemetry/events
Manifests:
  - Platform:
      os: linux
    Lifecycle:
      Setenv:
        SAVICMC_ENV: "{configuration:/Environment}"
        SAVIC_SENDLOG_PATH: "/var/log/sendLog.txt"
        SAVIC_SAMPLE_RATE: 10
        SAVIC_TELEMETRY_TOPIC: "savicmc/{configuration:/Environment}/telemetry/events"
      Install:
        RequiresPrivilege: true
        script: python3 -m pip install --user awsiotsdk
      Run:
        RequiresPrivilege: true
        script: python3 -u {artifacts:path}/telemetry.py
    Artifacts:
      - Uri: s3://greengrass-components-#############-############/artifacts/com.savic.Telemetry/1.0.12/telemetry.py
        Permission:
          Execute: OWNER

注意:我还尝试了 accessControl 的变体:

  aws.greengrass.ipc.mqttproxy:
    com.savic.Telemetry:mqttproxy:2:

 ------ AND --------

  aws.greengrass.ipc.mqttproxy:
    com.savic.Telemetry:pubsub:2:

(注意:pubsub 与 mqttproxy)

但是,在我的 greengrass.log 中,我不断收到以下信息:

2022-01-24T06:29:45.178Z [INFO] (Thread-8) software.amazon.awssdk.eventstreamrpc.RpcServer: New connection code [AWS_ERROR_SUCCESS] for [Id 1141, Class ServerConnection, Refs 1](2022-01-24T06:29:45.178120Z) - <null>. {}
2022-01-24T06:29:45.181Z [INFO] (Thread-8) software.amazon.awssdk.eventstreamrpc.ServiceOperationMappingContinuationHandler: aws.greengrass#GreengrassCoreIPC authenticated identity: com.savic.Telemetry. {}
2022-01-24T06:29:45.184Z [INFO] (Thread-8) software.amazon.awssdk.eventstreamrpc.ServiceOperationMappingContinuationHandler: Connection accepted for com.savic.Telemetry. {}
2022-01-24T06:29:45.185Z [INFO] (Thread-8) software.amazon.awssdk.eventstreamrpc.ServiceOperationMappingContinuationHandler: Sending connect response for com.savic.Telemetry. {}
2022-01-24T06:29:45.191Z [INFO] (Thread-8) com.aws.greengrass.builtin.services.mqttproxy.MqttProxyIPCAgent: Not Authorized. {error=Principal com.savic.Telemetry is not authorized to perform aws.greengrass.ipc.mqttproxy:aws.greengrass#PublishToIoTCore on resource savicmc/nonprod/telemetry/events}

注意:

com.aws.greengrass.builtin.services.mqttproxy.MqttProxyIPCAgent: Not Authorized. {error=Principal com.savic.Telemetry is not authorized to perform aws.greengrass.ipc.mqttproxy:aws.greengrass#PublishToIoTCore on resource savicmc/nonprod/telemetry/events}

My Thing 设备证书也有允许 iot:*greengrass:* 的策略,因此从 Policy/IAM 的角度来看,我可以发布。

为什么我在设备上收到未授权的任何想法?

Recipes variables 仅在配方的生命周期部分受支持。因此,accessControl 中的 {configuration:/Environment} 字符串未解析为您期望的值。

savicmc/{configuration:/Environment}/telemetry/events

您可以将默认值 accessControl 更改为默认使用 Environment 的值,这样当您使用默认值时组件将按预期工作。

ComponentConfiguration:
  DefaultConfiguration:
    Environment: nonprod
    accessControl:
      aws.greengrass.ipc.mqttproxy:
        com.savic.Telemetry:pubsub:2:
          policyDescription: Allows access to publish to telemetry topic
          operations:
            - aws.greengrass#PublishToIoTCore
          resources:
            - savicmc/nonprod/telemetry/events

当您 configure and deploy the component with a different value for Environment, you can also update the topic in accessControl. For example, you can specify the following configuration merge updateEnvironment 和资源主题更改为 prod 时。

{
  "Environment": "prod"
  "accessControl": {
    "aws.greengrass.ipc.mqttproxy": {
      "com.savic.Telemetry:pubsub:2": {
        "resources": {
          "savicmc/prod/telemetry/events
        }
      }
    }
  }
}