Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

What is the appropriate aws iot provisioning by claim policy?

0

I recently started having an issue with provisioning devices. I had previously been using the following policy definition, for quite some time:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "iot:Connect",
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": "iot:Publish",
      "Resource": "arn:aws:iot:[location:id]:topic/$aws/certificates/create/*"
    },
    {
      "Effect": "Allow",
      "Action": "iot:Publish",
      "Resource": "arn:aws:iot:[location:id]:topic/$aws/provisioning-templates/birthing_template/provision/*"
    },
    {
      "Effect": "Allow",
      "Action": "iot:Receive",
      "Resource": "arn:aws:iot:[location:id]:topic/$aws/certificates/create/*"
    },
    {
      "Effect": "Allow",
      "Action": "iot:Receive",
      "Resource": "arn:aws:iot:[location:id]:topic/$aws/provisioning-templates/birthing_template/provision/*"
    },
    {
      "Effect": "Allow",
      "Action": "iot:Subscribe",
      "Resource": "arn:aws:iot:[location:id]:topic/$aws/certificates/create/*"
    },
    {
      "Effect": "Allow",
      "Action": "iot:Subscribe",
      "Resource": "arn:aws:iot:[location:id]:topic/$aws/provisioning-templates/birthing_template/provision/*"
    }
  ]
}

However, recently devices started to fail when provisioning. Looking at the Cloudwatch logs I would get something like:

{
    "timestamp": "2024-02-14 17:02:02.503",
    "logLevel": "ERROR",
    "traceId": "2aeeb77f-7f45-7e3b-f2dc-d5893ed5d48d",
    "accountId": "ACCOUNTID",
    "status": "Failure",
    "eventType": "Subscribe",
    "protocol": "MQTT",
    "topicName": "$aws/provisioning-templates/birthing_template/provision/json/rejected",
    "clientId": "CLIENTID",
    "principalId": "PRINCIPALID",
    "sourceIp": "SOURCEIP",
    "sourcePort": 61801,
    "reason": "AUTHORIZATION_FAILURE",
    "details": "Authorization Failure"
}

I then changed:

    {
      "Effect": "Allow",
      "Action": "iot:Subscribe",
      "Resource": "arn:aws:iot:[location:id]:topic/$aws/provisioning-templates/birthing_template/provision/*"
    }

to:

    {
      "Effect": "Allow",
      "Action": "iot:Subscribe",
      "Resource": "*"
    }

And it started working. Is there something I'm missing? How is it that the previous template was working before?

Themen
Internet der Dinge (IoT)Sicherheit, Identität & Konformität
Tags
AWS IoT CoreIAM-Richtlinien
Sprache
English
txf
gefragt vor 3 Monaten92 Aufrufe
1 Antwort
1
Akzeptierte Antwort

Hi. Your policy has an error. For the Subscribe actions, the resource is a topicfilter not a topic.

https://docs.aws.amazon.com/iot/latest/developerguide/provision-wo-cert.html#claim-based

profile pictureAWS
EXPERTE
Greg_B
beantwortet vor 3 Monaten
profile picture
EXPERTE
Oleksii Bebych
überprüft vor 2 Monaten
  • txf
    vor 3 Monaten

    very strange that the provisioning used to work with policy document as specified above. But I corrected it to use topicfilter and now it works, thank you.

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt