Usando AWS re:Post, accetti AWS re:Post Termini di utilizzo
AWS re:Postre:Post

What is the appropriate aws iot provisioning by claim policy?

0

I recently started having an issue with provisioning devices. I had previously been using the following policy definition, for quite some time:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "iot:Connect",
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": "iot:Publish",
      "Resource": "arn:aws:iot:[location:id]:topic/$aws/certificates/create/*"
    },
    {
      "Effect": "Allow",
      "Action": "iot:Publish",
      "Resource": "arn:aws:iot:[location:id]:topic/$aws/provisioning-templates/birthing_template/provision/*"
    },
    {
      "Effect": "Allow",
      "Action": "iot:Receive",
      "Resource": "arn:aws:iot:[location:id]:topic/$aws/certificates/create/*"
    },
    {
      "Effect": "Allow",
      "Action": "iot:Receive",
      "Resource": "arn:aws:iot:[location:id]:topic/$aws/provisioning-templates/birthing_template/provision/*"
    },
    {
      "Effect": "Allow",
      "Action": "iot:Subscribe",
      "Resource": "arn:aws:iot:[location:id]:topic/$aws/certificates/create/*"
    },
    {
      "Effect": "Allow",
      "Action": "iot:Subscribe",
      "Resource": "arn:aws:iot:[location:id]:topic/$aws/provisioning-templates/birthing_template/provision/*"
    }
  ]
}

However, recently devices started to fail when provisioning. Looking at the Cloudwatch logs I would get something like:

{
    "timestamp": "2024-02-14 17:02:02.503",
    "logLevel": "ERROR",
    "traceId": "2aeeb77f-7f45-7e3b-f2dc-d5893ed5d48d",
    "accountId": "ACCOUNTID",
    "status": "Failure",
    "eventType": "Subscribe",
    "protocol": "MQTT",
    "topicName": "$aws/provisioning-templates/birthing_template/provision/json/rejected",
    "clientId": "CLIENTID",
    "principalId": "PRINCIPALID",
    "sourceIp": "SOURCEIP",
    "sourcePort": 61801,
    "reason": "AUTHORIZATION_FAILURE",
    "details": "Authorization Failure"
}

I then changed:

    {
      "Effect": "Allow",
      "Action": "iot:Subscribe",
      "Resource": "arn:aws:iot:[location:id]:topic/$aws/provisioning-templates/birthing_template/provision/*"
    }

to:

    {
      "Effect": "Allow",
      "Action": "iot:Subscribe",
      "Resource": "*"
    }

And it started working. Is there something I'm missing? How is it that the previous template was working before?

Argomenti
Internet delle cose (IoT)Sicurezza, identità e conformità
Tag
AWS IoT CorePolitiche IAM
Lingua
English
txf
posta 3 mesi fa92 visualizzazioni
1 Risposta
1
Risposta accettata

Hi. Your policy has an error. For the Subscribe actions, the resource is a topicfilter not a topic.

https://docs.aws.amazon.com/iot/latest/developerguide/provision-wo-cert.html#claim-based

profile pictureAWS
ESPERTO
Greg_B
con risposta 3 mesi fa
profile picture
ESPERTO
Oleksii Bebych
verificato 2 mesi fa
  • txf
    3 mesi fa

    very strange that the provisioning used to work with policy document as specified above. But I corrected it to use topicfilter and now it works, thank you.

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande

Contenuto pertinente