Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(aws-iot):CfnPolicy fails if greengrass: actions are present #32414

Closed
1 task
bobneuman opened this issue Dec 7, 2024 · 3 comments
Closed
1 task

(aws-iot):CfnPolicy fails if greengrass: actions are present #32414

bobneuman opened this issue Dec 7, 2024 · 3 comments
Labels
@aws-cdk/aws-iot Related to AWS IoT bug This issue is a bug. effort/medium Medium work item – several days of effort p3 response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days.

Comments

@bobneuman
Copy link

Describe the bug

The recommended greengrass-core-minimal-iot-policy includes greengrass: actions, but adding them using the CDK iot.CfnPolicy() fails.

Regression Issue

  • Select this option if this issue appears to be a regression.

Last Known Working CDK Version

unknown

Expected Behavior

I expect the greengrass actions to be included in the policy. The IoT Policies created via the Greengrass.jar or the AWS SDK can include the greengrass actions without error. I've created an IoT Policy with the greengrass actions and the devices .

Current Behavior

An attempt to include the greengrass actions in the policy returned the following error on deployment.

IotThingsStack | 8:08:47 AM | UPDATE_FAILED        | AWS::IoT::Policy                    | DEVELOPMENT-IoTPolicy (DEVELOPMENTIoTPolicy) Resource handler returned message: "Invalid request provided: Policy document is Malformed: Invalid policy syntax. (Service: Iot, Status Code: 400, Request ID: 24856881-5a97-4288-8ac8-f9625b7b28a8)" (RequestToken: aaaaaaaa-bbbb-cccc-dddd-000000000000, HandlerErrorCode: InvalidRequest)
❌  ZT-IoT-IotThingsStack failed: Error: The stack named ZT-IoT-IotThingsStack failed to deploy: UPDATE_ROLLBACK_COMPLETE: Resource handler returned message: "Invalid request provided: Policy document is Malformed: Invalid policy syntax. (Service: Iot, Status Code: 400, Request ID: 12345678-9999-123-aaaa-bbbbbbbbbbbb)" (RequestToken: aaaaaaaa-bbbb-cccc-dddd-000000000000, HandlerErrorCode: InvalidRequest)

Reproduction Steps

add the following statement in the CfnPolicy parameters

    new iam.PolicyStatement({
        actions: [
            "greengrass:ResolveComponentCandidates", 
            "greengrass:GetDeploymentConfiguration", 
            "greengrass:GetComponentVersionArtifact",
            "greengrass:ListThingGroupsForCoreDevice"
        ],
        resources: ['*'],
        effect: iam.Effect.ALLOW
    }),

Possible Solution

I can create a Lambda construct to use the SDK to create the policy.

Additional Information/Context

When the IoT Policy does not include the greengrass actions it prevents the greengrass device enumerating and installing components as indicated in the error:

2024-12-07T10:10:10.000Z [INFO] (pool-3-thread-10) com.aws.greengrass.deployment.IotJobsHelper: Updating status of persisted deployment. {Status=FAILED, StatusDetails={deployment-error-stack=[DEPLOYMENT_FAILURE, CLOUD_API_ERROR, ACCESS_DENIED, RESOLVE_COMPONENT_CANDIDATES_ACCESS_DENIED], deployment-error-types=[PERMISSION_ERROR], deployment-failure-cause=Access denied when calling ResolveComponentCandidates. Ensure certificate policy grants greengrass:ResolveComponentCandidates. Service returned error code ForbiddenException (Service: GreengrassV2Data, Status Code: 403, Request ID: ----------), detailed-deployment-status=FAILED_NO_STATE_CHANGE}, ThingName=thing-01, JobId=-------}

CDK CLI Version

2.172.0 (build 0f666c5)

Framework Version

No response

Node.js Version

v18.19.0

OS

Debian GNU/Linux 12 (bookworm)/BUILD_ID=20240831T094530Z

Language

TypeScript

Language Version

No response

Other information

Note: The current console also prevents addition of the greengrass actions via a GUI.
@bobneuman bobneuman added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Dec 7, 2024
@github-actions github-actions bot added the @aws-cdk/aws-iot Related to AWS IoT label Dec 7, 2024
@pahud
Copy link
Contributor

pahud commented Dec 9, 2024

Looks like the policy you added into CDK is malformed.

Can you share a minimal CDK code snippets so I can have a better visibility on how this policy is added in CDK and maybe I can paste them into my IDE to get it reproduced?

@pahud pahud added response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. p3 effort/medium Medium work item – several days of effort and removed needs-triage This issue or PR still needs to be triaged. labels Dec 9, 2024
@bobneuman
Copy link
Author

Yes that appears the issue. My error.

@github-actions GitHub Actions
Copy link

github-actions bot commented Dec 9, 2024

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Dec 9, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
@aws-cdk/aws-iot Related to AWS IoT bug This issue is a bug. effort/medium Medium work item – several days of effort p3 response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pahud @bobneuman