Al usar AWS re:Post, aceptas las AWS re:Post Términos de uso
AWS re:Postre:Post

What is the appropriate aws iot provisioning by claim policy?

0

I recently started having an issue with provisioning devices. I had previously been using the following policy definition, for quite some time:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "iot:Connect",
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": "iot:Publish",
      "Resource": "arn:aws:iot:[location:id]:topic/$aws/certificates/create/*"
    },
    {
      "Effect": "Allow",
      "Action": "iot:Publish",
      "Resource": "arn:aws:iot:[location:id]:topic/$aws/provisioning-templates/birthing_template/provision/*"
    },
    {
      "Effect": "Allow",
      "Action": "iot:Receive",
      "Resource": "arn:aws:iot:[location:id]:topic/$aws/certificates/create/*"
    },
    {
      "Effect": "Allow",
      "Action": "iot:Receive",
      "Resource": "arn:aws:iot:[location:id]:topic/$aws/provisioning-templates/birthing_template/provision/*"
    },
    {
      "Effect": "Allow",
      "Action": "iot:Subscribe",
      "Resource": "arn:aws:iot:[location:id]:topic/$aws/certificates/create/*"
    },
    {
      "Effect": "Allow",
      "Action": "iot:Subscribe",
      "Resource": "arn:aws:iot:[location:id]:topic/$aws/provisioning-templates/birthing_template/provision/*"
    }
  ]
}

However, recently devices started to fail when provisioning. Looking at the Cloudwatch logs I would get something like:

{
    "timestamp": "2024-02-14 17:02:02.503",
    "logLevel": "ERROR",
    "traceId": "2aeeb77f-7f45-7e3b-f2dc-d5893ed5d48d",
    "accountId": "ACCOUNTID",
    "status": "Failure",
    "eventType": "Subscribe",
    "protocol": "MQTT",
    "topicName": "$aws/provisioning-templates/birthing_template/provision/json/rejected",
    "clientId": "CLIENTID",
    "principalId": "PRINCIPALID",
    "sourceIp": "SOURCEIP",
    "sourcePort": 61801,
    "reason": "AUTHORIZATION_FAILURE",
    "details": "Authorization Failure"
}

I then changed:

    {
      "Effect": "Allow",
      "Action": "iot:Subscribe",
      "Resource": "arn:aws:iot:[location:id]:topic/$aws/provisioning-templates/birthing_template/provision/*"
    }

to:

    {
      "Effect": "Allow",
      "Action": "iot:Subscribe",
      "Resource": "*"
    }

And it started working. Is there something I'm missing? How is it that the previous template was working before?

Temas
Internet de las cosas (IoT)Seguridad, identidad y cumplimiento
Etiquetas
AWS IoT CorePolíticas de IAM
Idioma
English
txf
preguntada hace 3 meses92 visualizaciones
1 Respuesta
1
Respuesta aceptada

Hi. Your policy has an error. For the Subscribe actions, the resource is a topicfilter not a topic.

https://docs.aws.amazon.com/iot/latest/developerguide/provision-wo-cert.html#claim-based

profile pictureAWS
EXPERTO
Greg_B
respondido hace 3 meses
profile picture
EXPERTO
Oleksii Bebych
revisado hace 2 meses
  • txf
    hace 3 meses

    very strange that the provisioning used to work with policy document as specified above. But I corrected it to use topicfilter and now it works, thank you.

No has iniciado sesión. Iniciar sesión para publicar una respuesta.

Una buena respuesta responde claramente a la pregunta, proporciona comentarios constructivos y fomenta el crecimiento profesional en la persona que hace la pregunta.

Pautas para responder preguntas

Contenido relevante