How to use IoT policy thing variables ?

[sv3ndk]

Describe the bug I apologize, this is probably more my own misunderstanding than a bug, although I can't figure out why my setup fails.

When my python component is updating or deleting a named shadow via IPC and when using an IoT policy containing thing policy variables for the iot:UpdateThingShadow action, the shadow manager is forbidden to synchronize up to AWS.

When replacing the thing policy variable with a hardcoded thing name, the shadow manager works successfully.

The python component has been otherwise working successfully on multiple instances for a while though, it's already using IPC to interract with AWS and we already use one single IoT policy for all IoT thing, using thing policy variable, for example when publishing to MQTT via IPC:

{
      "Action": [
        "iot:Publish",
        "iot:Receive",
        "iot:RetainPublish"
      ],
      "Resource": [
        "arn:aws:iot:eu-west-1:111111111111:topic/${iot:Connection.Thing.ThingName}/*",
        "arn:aws:iot:eu-west-1:111111111111:topic/$aws/things/${iot:Connection.Thing.ThingName}*"
      ],
      "Effect": "Allow"
    },

To Reproduce

• associate an IoT thing with an IoT policy granting access to named shadow using thing policy variable, e.g.:

    {
      "Action": [
        "iot:GetThingShadow",
        "iot:UpdateThingShadow",
        "iot:DeleteThingShadow"
      ],
      "Resource": [
        "arn:aws:iot:eu-west-1:111111111111:thing/${iot:Connection.Thing.ThingName}",
        "arn:aws:iot:eu-west-1:111111111111:thing/${iot:Connection.Thing.ThingName}/*"
      ],
      "Effect": "Allow"
    },
    {
      "Action": [
        "iot:ListNamedShadowsForThing"
      ],
      "Resource": [
        "*"
      ],
      "Effect": "Allow"
    },

• deploy a python app with the shadow manager and appropriate component permissions. The shadow manager is configured as follow:

  {
  "strategy":{
    "type":"realTime"
  },
  "synchronize":{
    "coreThing":{
      "classic":false,
      "namedShadows":[
        "POC_MY_SHADOW_1",
        "POC_MY_SHADOW_2"
      ]
    }
  },
  "shadowDocumentSizeLimitBytes":8192
  }

• let the python app use IPC UpdateThingShadowRequest to send some update to POC_MY_SHADOW_1

• monitor Greegrass logs

Expected behavior

Shadow update should be propagated to AWS

Actual behavior

• at the python component level, the update succeeds, i.e the python Future is successful
• in the GReengrass logs, when the Shadow Manager tries to syncs the update to AWS, the following error occurs:

Service returned error code ForbiddenException (Service: IotDataPlane, Status Code: 403,

Environment

• OS: Debian Bullseye (arm)
• JDK version: 11
• Nucleus version: 2.12.1
• Shadow Manager version: 2.3.5

Additional context

When replacing ${iot:Connection.Thing.ThingName} with one hard-coded thing name, the shadow manager succeeds in synchronizing its state to AWS, but of course that would force me to create one IoT policy per IoT thing, which is quickly unpractical.

I'm sure I'm doing something wrong in my config, could you help me spot where? Thanks a lot in advance!

[MikeDombo]

Hello,

IoT connection policy variables are not supported. You may use IoT certificate policy variables or specify the exact/wildcard name. https://docs.aws.amazon.com/iot/latest/developerguide/cert-policy-variables.html

Also see previous answers here: https://repost.aws/questions/QUOvz_sVB1RjOUlJRclfXrOw/secure-iot-policy-for-shadowmanager-shadow-actions#ANAdZ-7t5FRv6mtmync5Egnw.

[sv3ndk]

Thanks for the quick update and the links.

Ok, see, that's quite a pity, once my things are in the wild, I'd rather restrict at maximum their ability to update anything else than their own data (I can't imagine anybody would want otherwise in prod?).

I'll try to find a solution that works for me based on the pointers you sent me.

Thanks again