- Newest
- Most votes
- Most comments
Hi,
the IoT policy that is created by the "getting started" guide in the IoT Core console does not have permissions to interact with the shadow.
- The shadow delta listener uses by default the client id basicShadowDeltaListener which is not allowed in the policy.
- The policy does not include permissions to interact with the device shadow topics
For me the following modified policy works with the basicShadowDeltaListener in case you use repost as thing name and client id:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iot:Publish",
"iot:Receive",
"iot:RetainPublish"
],
"Resource": [
"arn:aws:iot:REPLACE_WITH_YOUR_AWS_REGION:REPLACE_WITH_YOUR_AWS_ACCOUNT_NUMBER:topic/sdk/test/java",
"arn:aws:iot:REPLACE_WITH_YOUR_AWS_REGION:REPLACE_WITH_YOUR_AWS_ACCOUNT_NUMBER:topic/sdk/test/Python",
"arn:aws:iot:REPLACE_WITH_YOUR_AWS_REGION:REPLACE_WITH_YOUR_AWS_ACCOUNT_NUMBER:topic/topic_1",
"arn:aws:iot:REPLACE_WITH_YOUR_AWS_REGION:REPLACE_WITH_YOUR_AWS_ACCOUNT_NUMBER:topic/topic_2",
"arn:aws:iot:REPLACE_WITH_YOUR_AWS_REGION:REPLACE_WITH_YOUR_AWS_ACCOUNT_NUMBER:topic/$aws/things/repost/shadow/*"
]
},
{
"Effect": "Allow",
"Action": "iot:Subscribe",
"Resource": [
"arn:aws:iot:REPLACE_WITH_YOUR_AWS_REGION:REPLACE_WITH_YOUR_AWS_ACCOUNT_NUMBER:topicfilter/sdk/test/java",
"arn:aws:iot:REPLACE_WITH_YOUR_AWS_REGION:REPLACE_WITH_YOUR_AWS_ACCOUNT_NUMBER:topicfilter/sdk/test/Python",
"arn:aws:iot:REPLACE_WITH_YOUR_AWS_REGION:REPLACE_WITH_YOUR_AWS_ACCOUNT_NUMBER:topicfilter/topic_1",
"arn:aws:iot:REPLACE_WITH_YOUR_AWS_REGION:REPLACE_WITH_YOUR_AWS_ACCOUNT_NUMBER:topicfilter/topic_2",
"arn:aws:iot:REPLACE_WITH_YOUR_AWS_REGION:REPLACE_WITH_YOUR_AWS_ACCOUNT_NUMBER:topicfilter/$aws/things/repost/shadow/*"
]
},
{
"Effect": "Allow",
"Action": "iot:Connect",
"Resource": [
"arn:aws:iot:REPLACE_WITH_YOUR_AWS_REGION:REPLACE_WITH_YOUR_AWS_ACCOUNT_NUMBER:client/sdk-java",
"arn:aws:iot:REPLACE_WITH_YOUR_AWS_REGION:REPLACE_WITH_YOUR_AWS_ACCOUNT_NUMBER:client/basicPubSub",
"arn:aws:iot:REPLACE_WITH_YOUR_AWS_REGION:REPLACE_WITH_YOUR_AWS_ACCOUNT_NUMBER:client/repost",
"arn:aws:iot:REPLACE_WITH_YOUR_AWS_REGION:REPLACE_WITH_YOUR_AWS_ACCOUNT_NUMBER:client/sdk-nodejs-*"
]
}
]
}
You can find more information about IoT Policies in the developer guide.
KR, Philipp
Thanks for your response. After applying the policy changes mentioned, the connection issue still persists.
Did you use "repost" for thing name and client id? If not you need to modify the policy accordingly. You can also take a look at CloudWatch logs (insights) to find connection errors.
Changed the "repost" to the name of my Thing
Publishing the get topic to the shadow from the MQTT Test Client returns get/accepted
$aws/things/GatewayPi4/shadow/get/accepted April 06, 2022, 12:16:07 (UTC-0700) { "state": {}, "metadata": {}, "version": 3, "timestamp": 1649272567 } $aws/things/GatewayPi4/shadow/get April 06, 2022, 12:16:07 (UTC-0700) { "message": "Hello from AWS IoT console" }
publishing to the reserved shadow topics works, but subscribing to reserved topics fails.
Relevant content
- asked a year ago
AWS OFFICIALUpdated 3 years ago- AWS OFFICIALUpdated 5 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 7 months ago
Running basicPubSub.py results in a 'connack'. Running basicShadowDeltaListener.py results in a 'disconnect' with the same parameters used.
2022-04-06 08:00:49,884 - AWSIoTPythonSDK.core.protocol.internal.workers - DEBUG - Produced [connack] event
2022-04-06 08:02:12,820 - AWSIoTPythonSDK.core.protocol.internal.workers - DEBUG - Produced [disconnect] event