In the component recipe, declare an IPC authorization policy under accessControl granting aws.greengrass.ipc.mqttproxy:aws.greengrass#PublishToIoTCore permission for the topic pattern the component will publish to.
In component code, create a Greengrass IPC client using the AWS IoT Device SDK v2 Greengrass IPC library; establish the IPC socket connection (the SDK reads the socket path from the IPC_SERVER_SOCKET_PATH environment variable injected by the nucleus).
Call PublishToIoTCore with the topic string, QoS level, and payload bytes; the nucleus proxies the publish to AWS IoT Core using the core device's certificate.
For subscribing to topics, declare SubscribeToIoTCore authorization in the recipe and call SubscribeToIoTCore via IPC, processing messages in a callback or async handler.
Use SubscribeToTopic for local pub/sub between components on the same device without routing through IoT Core; declare the local topic in the recipe's accessControl section separately.
Test the IPC authorization by checking Greengrass nucleus logs at /greengrass/v2/logs/greengrass.log for AccessDenied errors if the component's publish requests are rejected.
Known gotchas
IPC authorization is enforced by the nucleus; a component missing the accessControl section in its recipe cannot publish to IoT Core even if the core device's IAM policy allows it.
Topic patterns in IPC authorization support the # wildcard but the component must use topics that match the declared pattern exactly; mismatches cause silent publish failures.
The IPC socket path environment variable is only available inside the component process; external scripts or child processes spawned by the component do not inherit it automatically.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp