Closed clogwog closed 2 years ago
diving into the code a bit, it looks like the stream-name is being passed into
createCurlIotCredentialProviderWithTime
as the thingName
is there a reason for this ?
would this whole 1 stream per thingname be solved by adding an extra 'thingname' to the paramters and using that to get the authentication token, then using stream-name for..you know.. the name of the stream ?
then letting the policy on the backend limit access to whatever you like.. but don't enforce the stream-name and thing-name need to be linked at this stage ?
Closing since PR is merged.
So have this ever been solved, we are experiencing exactly the same issues, and cannot send any other streams. Only where thingName = streamName, @clogwog did you manage to solve this, if so please share the solution :) Thanks.
@Coldplayer1995 i added a new parameter called iot-thing-name If you specify it with your exact thing-name then you can use anything else as your stream-name. there is an example in the description of the pull request.
are you still seeing a issue if you have specified both a iot-thing-name and a stream-name ? I definitely have this working.. none of my stream-names are the same as the thing name.
my kvssink line looks like:
kvssink name=kinesis storage-size=512 iot-certificate="iot-certificate,endpoint=xxxxxxxxxxxxxx.credentials.iot.ap-southeast-2.amazonaws.com,cert-path=/greengrass/v2/thingCert.crt,key-path=/greengrass/v2/privKey.key,ca-path=/greengrass/v2/rootCA.pem,role-aliases=KvsCameraIoTRoleAlias,iot-thing-name=realthingname" aws-region="ap-southeast-2" log-config="/etc/bla/kvssink-log.config" stream-name=anythingilike
fill in the real endpoint and realthingname to match yours.. the [AWS IoT][Security][Role aliases][KvsCameraIoTRoleAlias] points to an IAM role that looks like:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"kinesisvideo:PutMedia",
"kinesisvideo:GetDataEndpoint",
"kinesisvideo:DescribeStream",
"kinesisvideo:TagStream",
"kinesisvideo:CreateStream"
],
"Resource": "*"
}
]
}
( i know, i know.. the Resource is waaay too loose.. but until AWS support the ability to add a ${iot:Connection.Thing.ThingName} wildcard as the resource... there is just no way around it )
I have an IoT Greengrass device (with name smartdvr-1423019132001 ) on the device I stream video to kinesis using the kvssink gstreamer plugin like:
gst-launch-1.0 .... video source ... ! kvssink name=bob storage-size=512 iot-certificate="iot-certificate,endpoint=xxxxxxxxx.credentials.iot.ap-southeast-2.amazonaws.com,cert-path=/greengrass/v2/thingCert.crt,key-path=/greengrass/v2/privKey.key,ca-path=/greengrass/v2/rootCA.pem,role-aliases=KvsCameraIoTRoleAlias" aws-region="ap-southeast-2" log-config="/etc/mtdata/kvssink-log.config" stream-name=smartdvr-1423019132001
and with the instructions on how to setup impersonation via the certificate it uses the following alias: KvsCameraIoTRoleAlias which points to
KVSCameraCertificateBasedIAMRole :
..this works.. and it creates a smartdvr-1423019132001 kinesis video stream and is streaming the video.
now i want to change to have multiple streams (may have more than 1 camera that i want to stream) so i've changed the stream-name to smartdvr-1423019132001-video1 and changed the impersonation policy to
"Resource": "arn:aws:kinesisvideo:::stream/${credentials-iot:ThingName}-*/*"
but i'm getting errors in the kvs.log file like:
if i switch it back it starts working again.
also tried
"Resource": "*"
still the same any suggestions where i can look ?note: this is a repost of https://forums.aws.amazon.com/thread.jspa?threadID=347747&tstart=0 as i noticed that most support for this is being given here instead of on the aws forum.