Authorize core devices to interact with Amazon services
Amazon IoT Greengrass core devices use the Amazon IoT Core credentials provider to authorize calls to Amazon services. The Amazon IoT Core credentials provider enables devices to use their X.509 certificates as the unique device identity to authenticate Amazon requests. This eliminates the need to store an Amazon access key ID and secret access key on your Amazon IoT Greengrass core devices. For more information, see Authorizing direct calls to Amazon services in the Amazon IoT Core Developer Guide.
When you run the Amazon IoT Greengrass Core software, you can choose to provision the Amazon resources that the
core device requires. This includes the Amazon Identity and Access Management (IAM) role that your core device assumes
through the Amazon IoT Core credentials provider. Use the --provision true
argument to
configure a role and policies that allow the core device to get temporary Amazon credentials.
This argument also configures an Amazon IoT role alias that points to this IAM role. You can
specify the name of the IAM role and Amazon IoT role alias to use. If you specify --provision
true
without these other name parameters, the Greengrass core device creates and uses the
following default resources:
-
IAM role:
GreengrassV2TokenExchangeRole
This role has a policy named
GreengrassV2TokenExchangeRoleAccess
and a trust relationship that allowscredentials.iot.amazonaws.com
to assume the role. The policy includes the minimum permissions for the core device.Important
This policy doesn't include access to files in S3 buckets. You must add permissions to the role to allow core devices to retrieve component artifacts from S3 buckets. For more information, see Allow access to S3 buckets for component artifacts.
-
Amazon IoT role alias:
GreengrassV2TokenExchangeRoleAlias
This role alias refers to the IAM role.
For more information, see Step 3: Install the Amazon IoT Greengrass Core software.
You can also set the role alias for an existing core device. To do so, configure the
iotRoleAlias
configuration parameter of the Greengrass nucleus component.
You can acquire temporary Amazon credentials for this IAM role to perform Amazon operations in your custom components. For more information, see Interact with Amazon services.
Service role permissions for core devices
The role allows the following service to assume the role:
-
credentials.iot.amazonaws.com
If you use the Amazon IoT Greengrass Core software to create this role, it uses the following permissions
policy to allow core devices to connect and send logs to Amazon. The policy's name defaults to
the name of the IAM role ending with Access
. For example, if you use the
default IAM role name, then this policy's name is
GreengrassV2TokenExchangeRoleAccess
.
Allow access to S3 buckets for component artifacts
The default core device role doesn't allow core devices to access S3 buckets. To deploy
components that have artifacts in S3 buckets, you must add the s3:GetObject
permission to allow core devices to download component artifacts. You can add a new policy to
the core device role to grant this permission.
To add a policy that allows access to component artifacts in Amazon S3
-
Create a file called
component-artifact-policy.json
and copy the following JSON into the file. This policy allows access to all files in an S3 bucket. Replace amzn-s3-demo-bucket with the name of the S3 bucket to allow the core device to access.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject" ], "Resource": "arn:aws-cn:s3:::amzn-s3-demo-bucket/*" } ] }
-
Run the following command to create the policy from the policy document in
component-artifact-policy.json
.Copy the policy Amazon Resource Name (ARN) from the policy metadata in the output. You use this ARN to attach this policy to the core device role in the next step.
-
Run the following command to attach the policy to the core device role. Replace
GreengrassV2TokenExchangeRole
with the name of the role that you specified when you ran the Amazon IoT Greengrass Core software. Then, replace the policy ARN with the ARN from the previous step.If the command has no output, it succeeded, and your core device can access artifacts that you upload to this S3 bucket.