ClientDeviceAuthorizer: Device isn't authorized to connect

Question

I have a Client Device (thing-is-1) A Greengrass Core Device (Corething2)

I have deployed the componenets: MQTT Moquette Broker, MQTT Bridge, Client Device Authenticator, IP Detector.

My MQTT Broker is listening on port 8883 I have double checked all my AWS IOT Policies for Core: It has everything that has been mentioned in the AWS documentations in terms of policies.

But When I try to connect my client to my core after discovery, it gives the following error on the client device:

Performing greengrass discovery... awsiot.greengrass_discovery.DiscoverResponse(gg_groups=[awsiot.greengrass_discovery.GGGroup(gg_group_id='greengrassV2-coreDevice-Corething2', cores=[awsiot.greengrass_discovery.GGCore(thing_arn='arn:aws:iot:eu-west-1:...:thing/Corething2', connectivity=[awsiot.greengrass_discovery.ConnectivityInfo(id='', host_address='', metadata='', port=8883), awsiot.greengrass_discovery.ConnectivityInfo(id='', host_address='', metadata='', port=8883)])], certificate_authorities=['-----BEGIN CERTIFICATE-----\n..\n-----END CERTIFICATE-----\n'])]) Trying core arn:aws:iot:eu-west-1:..:thing/Corething2 at host port 8883 Connection failed with exception AWS_IO_SOCKET_TIMEOUT: socket operation timed out. Trying core arn:aws:iot:eu-west-1:..:thing/Corething2 at host port 8883 Connection failed with exception AWS_ERROR_MQTT_UNEXPECTED_HANGUP: The connection was closed unexpectedly. All connection attempts failed

Now if I go to my Core device and check the greengrass.log.. I see this:

2022-04-11T15:07:43.899Z [INFO] (nioEventLoopGroup-5-3) com.aws.greengrass.device.DeviceAuthClient: Creating new session. {} 2022-04-11T15:07:44.454Z [INFO] (nioEventLoopGroup-5-3) com.aws.greengrass.device.SessionManager: Created the session. {sessionId=d65a97e6-1919-4798-8c2d-bb9b44398856} 2022-04-11T15:07:44.473Z [INFO] (nioEventLoopGroup-5-3) io.moquette.broker.metrics.MQTTMessageLogger: C->B CONNECT . {} 2022-04-11T15:07:44.473Z [INFO] (nioEventLoopGroup-5-3) com.aws.greengrass.mqttbroker.ClientDeviceAuthorizer: Retrieved client session. {clientId=thing-is-1, sessionId=d65a97e6-1919-4798-8c2d-bb9b44398856} 2022-04-11T15:07:44.799Z [INFO] (nioEventLoopGroup-5-3) com.aws.greengrass.mqttbroker.ClientDeviceAuthorizer: Device isn't authorized to connect. {clientId=thing-is-1, sessionId=d65a97e6-1919-4798-8c2d-bb9b44398856} 2022-04-11T15:07:44.799Z [INFO] (nioEventLoopGroup-5-3) com.aws.greengrass.device.SessionManager: Closing the session. {sessionId=d65a97e6-1919-4798-8c2d-bb9b44398856} 2022-04-11T15:07:44.800Z [INFO] (nioEventLoopGroup-5-3) io.moquette.broker.MQTTConnection: Authenticator has rejected the MQTT credentials CId=thing-is-1, certificate chain=[[ [ Version: V3 Subject: CN=AWS IoT Certificate

bla bla bla ]]. {} 2022-04-11T15:07:44.800Z [INFO] (nioEventLoopGroup-5-3) io.moquette.broker.MQTTConnection: Client didn't supply any password and MQTT anonymous mode is disabled CId=thing-is-1. {} 2022-04-11T15:07:44.802Z [INFO] (nioEventLoopGroup-5-3) io.moquette.broker.metrics.MQTTMessageLogger: Channel Inactive. {} 2022-04-11T15:08:41.247Z [INFO] (pool-1-thread-4) com.aws.greengrass.detector.IpDetectorManager: Acquired host IP addresses. {IpAddresses=[/, /]}

What am I missing here? Or maybe if there is a checklist that I can refer to for scratching out possibilities. One question arises with the certs, do I need to add my clients public to some place in the Core? I didnt find that anywhere in the aws docs.

Also I see that the session is created but then my Authenticator rejects the client.

My Device Authenticator has a complete permissive configuration. My thing-is-1 is associated to my core device. But the core device and the client device do not belong to the same thing group. (And I don't think that makes any difference)

ClientDeviceAuth Component config:

{
  "reset": [],
  "merge": {
    "reset": [],
    "merge": {
      "deviceGroups": {
        "formatVersion": "2021-03-05",
        "definitions": {
          "MyDeviceGroup": {
            "selectionRule": "thingName: thing-*",
            "policyName": "MyClientDevicePolicy"
          }
        },
        "policies": {
          "MyClientDevicePolicy": {
            "AllowConnection": {
              "statementDescription": "Allow client devices.",
              "operations": [
                "*"
              ],
              "resources": [
                "*"
              ]
            }
          }
        }
      }
    }
  }
}

I tried to be informative and concise at the same time. Let me know if im missing any info that might help to get a better understanding of the issue and I'll update the question accordingly.

Answer 1

Your client device auth configuration seems to have "merge" as a child of "merge"? That isn't correct. The device groups and policies should be keys under the top level merge.