By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

IoT Policy works on certificate but not on group?

0

Im doing some basic MQTT coding. I have a simple policy below:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "iot:Connect",
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": "iot:Publish",
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": "iot:Receive",
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": "iot:Subscribe",
      "Resource": "*"
    }
  ]
}

It works great when I attact it to the certificate of my Thing. But... when I instead attach it to a thing group, and assign the Thing into that group... it has no effect. I've tried waiting a minute or two, but no workie. Meanwhile, when I then assign it to the certificate again... it works immediately!

I'm confused. Why doesnt assigning IoT policy permissions through thing groups work?

Topics
Internet of Things (IoT)
Tags
AWS IoT Core
Language
English
rePost-User-8804953
asked 2 years ago476 views
2 Answers
1
Accepted Answer

It turns out that for some reason, If you connect with a "client_id" that is random, you will only get Policies applied, that are directly associated with the certificate you use to connect. So you can use a client_id of whatever you want, in the case where you are directly associating policies.

To take advantage of groups, you MUST use a client_id that exactly matches the thing-name that your cert is associated with.

rePost-User-8804953
answered 2 years ago
0

Hi,

did you try to list the effective policies for your thing? This could help to debug this issue.

Did you use a static thing group? Dynamic thing groups to not support attaching policies to the group.

There is a chapter about thing groups in the IoT Device Management workshop which might help.

Cheers,
Philipp

AWS
EXPERT
Philipp S
answered 2 years ago
  • rePost-User-8804953
    2 years ago

    interesting. I shall look into those references. but for the record, it is a static group.

  • rePost-User-8804953
    2 years ago

    erm. also your first link is just to thing groups, it doesnt seem to describe how to "list effective policies for a thing"?

  • Philipp S EXPERT
    2 years ago

    Scroll down in the page to https://docs.aws.amazon.com/iot/latest/developerguide/thing-groups.html#group-get-effective-policies

  • rePost-User-8804953
    2 years ago

    The docs for get-effective-policies claim that valid arguments for --principal, are cert ARN, or thinggroup arn.

    However, when I literally cutnpaste the ARN for my thing group, ithe get-effective-policies call complains, An error occurred (InvalidRequestException) when calling the GetEffectivePolicies operation: The given ARN does not represent a cert

    This kinda implies the docs lie, and you cant actually use IoT policies for thing groups?

  • rePost-User-8804953
    2 years ago

    FYI, I just literally cutnpasted that Workshop code. made the "building_one" related group and policy.

    I just added a fuller clause to the policy,

        {
      "Effect": "Allow",
      "Action": "*",
      "Resource": "*"
    }

    Assigned my test thing to the group. nothing.

    waited a bit. still nothing. awscrt.exceptions.AwsCrtError: AWS_ERROR_MQTT_UNEXPECTED_HANGUP: The connection was closed unexpectedly.

    Assigned the CERT for my test thing, to the policy. Then my MQTT connections work fine.

    Given that the error is, "AwsCrtError".... is there some magic iot lib code where I'm supposed to request access a DIFFERENT way when using inherited group permissions or something?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content