IAM Policy setup

Please make sure you have setup AWS CLI credentials correctly prior to proceeding here as directed in earlier section.

IAM custom policy setup

Lets setup IAM policy which will be used mainly for following sections hence we need the policy to allow the actions:

  • Publish your custom component (using S3)
  • MQTT Bridge

Follow the setups per pictures below:

  1. Go to IAM Console Policy

  2. Select Policies and Create policy Policy Policy

  3. In Create policy screen select JSON tab and delete lines 1-4 Policy

  4. Copy the following JSON (make sure all the previous JSON were deleted)

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "S3BucketActions",
            "Effect": "Allow",
            "Action": [
                "s3:CreateBucket",
                "s3:ListAllMyBuckets",
                "s3:GetBucketLocation",
                "s3:PutObject",
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "iot:*"
            ],
            "Resource": "*"
        },
        {
            "Sid": "GreengrassActions",
            "Effect": "Allow",
            "Action": [
                "greengrass:*"
            ],
            "Resource": "*"
        }
    ]
}

Click through all the way to Next: Review screen and give the policy name workshop_s3_iot_gg_policy and Description such as Greengrass workshop usage policy only.

  1. Finally go ahead and Create Policy

IAM custom policy assignment

  1. Staying in IAM console click on Users and search for the user we created earlier i.e. workshop_user_delete_later

Policy

  1. On Summary Screen Click on Add permissions button and search for policy workshop_user_delete_later attach the policy as per below. Policy

  2. Click through and finally click on Add permissions to complete this step.

Adding policy to GreengrassV2TokenExchangeRole

Finally let’s attach this policy to the role GreengrassV2TokenExchangeRole, Staying in IAM from Dashboard please navigate to Roles and search the Role as shown in the picture below: AWS_IAM_roles

Click on Attach Policies then click on Add inline policy, Select JSON tab and delete the existing default code and paste the code below, review policy and give a name GreengrassV2TokenExchangeRoleCustomPolicy and Create policy.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "iot:AttachPrincipalPolicy",
                "iot:CreateKeysAndCertificate",
                "iot:CreatePolicy",
                "iot:DeleteCertificate",
                "iot:DeletePolicy",
                "iot:DetachPrincipalPolicy",
                "iot:GetPolicy",
                "iot:ListPolicyPrincipals",
                "iot:UpdateCertificate"
            ],
            "Resource": "*"
        }
    ]
}