By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

IoT Core Policy - MQTT 'Connect' Authorization Failure

1

Hi,

I have two Greengrass Core devices that connect to IoT Core. They are registered as Things with names 'M112234' and 'M112235' respectively.

M112234 connects to IoT Core via MQTT without any problems (MQTT client ID used is 'M112234'). M112235 is special as it is used as a development device. For the purposes of this example, M112235 uses the MQTT client ID 'M112235_dev'.

Below is part of the IoT Core Policy attached to the certificates associated with these two devices (XYZ substituted for account ID in actual policy):

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "iot:Connect",
      "Resource": [
        "arn:aws:iot:eu-west-1:XYZ:client/${iot:Connection.Thing.ThingName}",
        "arn:aws:iot:eu-west-1:XYZ:client/${iot:Connection.Thing.ThingName}_dev"
      ],
      "Effect": "Allow"
    },

For reasons that I do not understand, M112234 is able to connect without any problems (which I'd expect, as M112234 is the thing name associated with this device in the IoT Core registry). However, M112235 always fails to connect with the following error message show in the IotCoreV2Logs Cloudwatch log group:

{
    "timestamp": "2023-09-13 10:32:03.437",
    "logLevel": "ERROR",
    "traceId": "XYZ",
    "accountId": "XYZ",
    "status": "Failure",
    "eventType": "Connect",
    "protocol": "MQTT",
    "clientId": "M112235_dev",
    "principalId": "XYZ",
    "sourceIp": "XYZ",
    "sourcePort": 58460,
    "reason": "AUTHORIZATION_FAILURE",
    "details": "Authorization Failure"
}

My question is, why would this be? Am I not able to concatenate the iot:Connection.Thing.ThingName template variable with _dev (IoT Core allows me to save the policy)?

I've also tried modifying the policy to be as follows, also to no avail:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "iot:Connect",
      "Resource": [
        "arn:aws:iot:eu-west-1:XYZ:client/${iot:Connection.Thing.ThingName}*",
      ],
      "Effect": "Allow"
    },

Any help/suggestions would be greatly appreciated.

Topics
Internet of Things (IoT)
Tags
AWS IoT GreengrassAWS IoT Core
Language
English
cgddrd
asked 8 months ago426 views
1 Answer
1
Accepted Answer

Hi,

AWS IoT Policies do not support string concatenation or wildcards in the resources associated with the iot:Connect action. Please refer to the documentation: https://docs.aws.amazon.com/greengrass/v2/developerguide/device-auth.html#iot-policies.

My recommendation is to use the Certificate policy variables instead of Thing Policy variables (see https://docs.aws.amazon.com/iot/latest/developerguide/cert-policy-variables.html for the supported variables). You can store the name of the device in the iot:Certificate.Issuer.CommonName and write the above policy as follow:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "iot:Connect",
      "Resource": [
        "arn:aws:iot:eu-west-1:XYZ:client/${iot:Certificate.Issuer.CommonName}",
      ],
      "Effect": "Allow"
    },

Note that you need to use a CSR (Certificate Signing Request) to set the Common Name when getting AWS IoT managed device certificated by using the CreateCertificateFromCSR API

AWS
EXPERT
MassimilianoAWS
answered 8 months ago
AWS
EXPERT
MichaelDombrowski-AWS
reviewed 8 months ago
profile pictureAWS
EXPERT
Didier_Durand
reviewed 8 months ago
  • cgddrd
    8 months ago

    Hi, I've realised I don't understand this part of your answer "AWS IoT Policies do not support string concatenation or wildcards in the resources associated with the iot:Connect action". In the documentation you link to, it explicitly states "AWS IoT policies support * as a wildcard character" and the example below this on the same page states: "The Connect policy includes the * wildcard after the core device thing name (for example, core-device-thing-name*)." These seem to be at odds to your assertion.

  • Greg_B EXPERT
    7 months ago

    Hi. You are right. Wildcards are supported. However, please see the quote here: https://docs.aws.amazon.com/iot/latest/developerguide/thing-policy-variables.html

    The thing name is obtained from the client ID in the MQTT Connect message

    So ${iot:Connection.Thing.ThingName}_dev produces M112235_dev_dev. One other catch: Greengrass makes more than one connection if you have more than 50 subscriptions, and those extra connections don't use a client ID matching the thing name. This is also stated in the link Massi shared.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content