conf { connectors = [] functions = [] core { syncShadow = true role { name = "Greengrass_CoreRole" alias = "Greengrass_CoreRoleAlias" assumeRolePolicy = { Version = "2012-10-17" Statement = [ { Effect = "Allow" Action = "sts:AssumeRole" Principal = { Service = "greengrass.amazonaws.com" } } { Effect = "Allow" Action = "sts:AssumeRole" Principal = { Service = "credentials.iot.amazonaws.com" } } ] } iamManagedPolicies = [ # (Optional): Allows Greengrass Lambdas to write log messages to CloudWatch Logs "arn:aws:iam::aws:policy/CloudWatchLogsFullAccess" ] iotPolicy = { Version = "2012-10-17" Statement = [ { Effect = "Allow" Action = ["iot:*", "greengrass:*"] Resource = ["*"] } ] } iamPolicy = { Version = "2012-10-17" Statement = [ { Effect = "Allow" Action = ["iam:GetRole", "iam:PassRole"] Resource = ["arn:aws:iam::"${ACCOUNT_ID}":role/"${conf.core.role.name}] } { Effect = "Allow" Action = ["iot:DescribeEndpoint"] Resource = ["*"] } ] } } } lambda { role { name = "Greengrass_LambdaRole" assumeRolePolicy = { Version = "2012-10-17" Statement = [ { Effect = "Allow" Action = "sts:AssumeRole" Principal = { Service = "lambda.amazonaws.com" } } ] } } } service { role { name = "Greengrass_ServiceRole" assumeRolePolicy = { Version = "2012-10-17" Statement = [ # Required: Allows the Greengrass cloud service to assume this role { Effect = "Allow" Action = "sts:AssumeRole" Principal = { Service = "greengrass.amazonaws.com" } } ] } iamManagedPolicies = [ # Required: Role to manage Greengrass resources "arn:aws:iam::aws:policy/service-role/AWSGreengrassResourceAccessRolePolicy" ] } } loggers = [ { component = "GreengrassSystem" loggerLevel = "INFO" loggerType = "FileSystem" # 128 MB space = 131072 } { component = "GreengrassSystem" loggerLevel = "INFO" loggerType = "AWSCloudWatch" } { component = "Lambda" loggerLevel = "INFO" loggerType = "FileSystem" # 128 MB space = 131072 } { component = "Lambda" loggerLevel = "INFO" loggerType = "AWSCloudWatch" } ] }