search

aws-greengrass / aws-greengrass-shadow-manager

A GreengrassV2 Component that provides offline device shadow documents and optional synchronization to the IoT device shadow service.
Apache License 2.0
9 stars 6 forks source link

Pass x-amzn-iot-thingname header when authenticating to IoT Data Plane #207

Closed supergillis closed 3 weeks ago

supergillis commented 1 month ago

Describe the bug The IotDataPlaneClientFactory is not passing the thing name as x-amzn-iot-thingname HTTP header. This prevents us from using IoT Core Policy variables like iot:Connection.Thing.ThingName.

To Reproduce Use ${iot:Connection.Thing.ThingName} in the IoT Core Policy for iot:*ThingShadow.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "iot:GetThingShadow",
        "iot:UpdateThingShadow",
        "iot:DeleteThingShadow",
        "iot:ListNamedShadowsForThing"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:iot:eu-west-1:xxxxxxxxxxx:thing/${iot:Connection.Thing.ThingName}",
        "arn:aws:iot:eu-west-1:xxxxxxxxxxx:thing/${iot:Connection.Thing.ThingName}/*"
      ]
    }
  ]
}

Expected behavior The AWS IoT Core policy using the policy variable iot:Connection.Thing.ThingName should work.

Actual behavior Synchronizing shadows with the shadow manager does not work. You have to set Resource to * for it to work.

saranyailla commented 3 weeks ago

Hi, Thank you for using the component and bringing this to our attention again.

The policy variable iot:Connection.Thing.ThingName is available only when a device connects over MQTT or MQTT over the WebSocket protocol as mentioned in the documentation here. But, the Shadow manager component uses HTTP requests for making IoT Data Plane operations for shadows. So, IoT policy variables are not interpolated as expected in this case and this is also called out in the documentation here.

We'll add this to our backlog as a possible enhancement and look into this further.