IoT Core Policy - MQTT 'Connect' Authorization Failure

Question

Hi,

I have two Greengrass Core devices that connect to IoT Core. They are registered as Things with names 'M112234' and 'M112235' respectively.

M112234 connects to IoT Core via MQTT without any problems (MQTT client ID used is 'M112234'). M112235 is special as it is used as a development device. For the purposes of this example, M112235 uses the MQTT client ID 'M112235_dev'.

Below is part of the IoT Core Policy attached to the certificates associated with these two devices (`XYZ` substituted for account ID in actual policy):

```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "iot:Connect",
      "Resource": [
        "arn:aws:iot:eu-west-1:XYZ:client/${iot:Connection.Thing.ThingName}",
        "arn:aws:iot:eu-west-1:XYZ:client/${iot:Connection.Thing.ThingName}_dev"
      ],
      "Effect": "Allow"
    },
```

For reasons that I do not understand, M112234 is able to connect without any problems (which I'd expect, as M112234 is the thing name associated with this device in the IoT Core registry). However, M112235 always fails to connect with the following error message show in the `IotCoreV2Logs` Cloudwatch log group:

```
{
    "timestamp": "2023-09-13 10:32:03.437",
    "logLevel": "ERROR",
    "traceId": "XYZ",
    "accountId": "XYZ",
    "status": "Failure",
    "eventType": "Connect",
    "protocol": "MQTT",
    "clientId": "M112235_dev",
    "principalId": "XYZ",
    "sourceIp": "XYZ",
    "sourcePort": 58460,
    "reason": "AUTHORIZATION_FAILURE",
    "details": "Authorization Failure"
}
```
My question is, why would this be? Am I not able to concatenate the `iot:Connection.Thing.ThingName` template variable with `_dev` (IoT Core allows me to save the policy)?

I've also tried modifying the policy to be as follows, also to no avail:

```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "iot:Connect",
      "Resource": [
        "arn:aws:iot:eu-west-1:XYZ:client/${iot:Connection.Thing.ThingName}*",
      ],
      "Effect": "Allow"
    },
```
Any help/suggestions would be greatly appreciated.

Accepted Answer

Hi,

AWS IoT Policies do not support string concatenation or wildcards in the resources associated with the `iot:Connect` action. Please refer to the documentation:  https://docs.aws.amazon.com/greengrass/v2/developerguide/device-auth.html#iot-policies.

My recommendation is to use the Certificate policy variables instead of Thing Policy variables (see https://docs.aws.amazon.com/iot/latest/developerguide/cert-policy-variables.html for the supported variables). You can store the name of the device in the `iot:Certificate.Issuer.CommonName` and write the above policy as follow:
```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "iot:Connect",
      "Resource": [
        "arn:aws:iot:eu-west-1:XYZ:client/${iot:Certificate.Issuer.CommonName}",
      ],
      "Effect": "Allow"
    },
```

Note that you need to use a CSR (Certificate Signing Request) to set the Common Name when getting AWS IoT managed device certificated by using the [CreateCertificateFromCSR](https://docs.aws.amazon.com/iot/latest/apireference/API_CreateCertificateFromCsr.html) API

IoT Core Policy - MQTT 'Connect' Authorization Failure

관련 콘텐츠