dkdiaz
commented
4 years ago Hi @kennu - I'm sorry that you're having problems with the IoT policy. Unfortunately, thing policy variables aren't supported in the core policy. I updated the sample policy section to note this restriction in the developer guide. We also have an ongoing task to improve our security documentation, which includes adding more policy examples. If you would like more information about developing your policy, can you please open an issue in the AWS IoT Greengrass Forum? Members of the Greengrass team actively monitor the forum and should be able to help. Thank you.
kennu
The Minimal Greengrass IoT policy documented in https://github.com/awsdocs/aws-greengrass-developer-guide/blame/master/doc_source/device-auth.md#L112 provides a sample policy that requires you to hard-code the Thing Names and Greengrass Group IDs into the policy statements.
It would be very helpful to add an example of a generic policy that uses IoT policy variables like
${iot:Connection.Thing.ThingName}and${iot:Connection.Thing.Attributes[greengrassGroupId]}to avoid hard-coding the Thing Names and Greengrass Group IDs. Such a policy could be shared by all deployed Greengrass Cores, eliminating the need to deploy hundreds or thousands of separate policies.I have been developing such a policy myself recently and it's very difficult to get it right. As a developer there is no visibility to what the current values of policy variables are and debugging is a lot of trial-and-error work. Therefore it would be quite valuable to have an AWS-provided example as a reference.