By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Issue when trying to set no permissive policy MQTIos iot core

0

Hi all, I build a system with nrf sdk and nRF9151 chip. I created a thing in aws iot core, create certs and attach policy, for my first test I use a very permissive policy

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "iot:*",
      "Resource": "*"
    }
  ]
}

So to be cut I've followed this tutorial from nordic, everything work, I'm able to connect, subscride, publish etc.

But for now I'd like to create no permissive policy, but despite all my attempts I cannot get my system to work. What I want to do:

  • be able to subscribe to topics like /TOP/359404230604599/*
  • be able to receive to topics like /TOP/359404230604599/*
  • be able to connect with clientID 359404230604599 (same as my thing name)

here is what I've tried

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "iot:Connect",
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": "iot:Publish",
      "Resource": "arn:aws:iot:eu-west-3:removed:topic/TOP/359404230604599/"
    },
    {
      "Effect": "Allow",
      "Action": "iot:Subscribe",
      "Resource": "arn:aws:iot:eu-west-3:removed:topicfilter/TOP/359404230604599/*"
    },
    {
      "Effect": "Allow",
      "Action": "iot:Receive",
      "Resource": "arn:aws:iot:eu-west-3:removed:topic/TOP/359404230604599/*"
    }
  ]
}

It's doesn't work, it's look like as soon as I add something behind topic/ or topicfilter other than *I'm blocked...

What I miss ?

Thanks

Topics
Internet of Things (IoT)
Tags
AWS IoT Core
Language
English
Simon
asked 9 days ago42 views
2 Answers
0

The policy provided in the AI generated answer is correct for what you want to achieve, assuming the clientId passed used by the code on the device is exactly the same as the thing name.

The error you published is related to the connection attempt. Could you confirm that if you change the first statement to

{
      "Effect": "Allow",
      "Action": "iot:Connect",
      "Resource": "*"
    }

you get a different error?

AWS
EXPERT
MassimilianoAWS
answered 8 days ago
  • Simon
    8 days ago

    No I have the same error, for example if I do

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "iot:Connect",
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": "iot:Publish",
      "Resource": "arn:aws:iot:eu-west-3:removed:topic/*"
    },
    {
      "Effect": "Allow",
      "Action": "iot:Subscribe",
      "Resource": "arn:aws:iot:eu-west-3:removed:topicfilter/*"
    },
    {
      "Effect": "Allow",
      "Action": "iot:Receive",
      "Resource": "arn:aws:iot:eu-west-3:removed:topic/**"
    }
  ]
}

    Everything works but as soon as I try to add something after topicfilerin Subscribe, I got an AUTHORIZATION_FAILURE

    Example

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "iot:Connect",
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": "iot:Publish",
      "Resource": "arn:aws:iot:eu-west-3:removed:topic/*"
    },
    {
      "Effect": "Allow",
      "Action": "iot:Subscribe",
      "Resource": "arn:aws:iot:eu-west-3:removed:topicfilter/TOP/359404230604599/*"
    },
    {
      "Effect": "Allow",
      "Action": "iot:Receive",
      "Resource": "arn:aws:iot:eu-west-3:removed:topic/*"
    }
  ]
}

    Not working

  • MassimilianoAWS EXPERT
    8 days ago

    Can you confirm that in the error you get "eventType": "CONNECT" even with the modified policy? If you can, please provide a copy of the error.

  • Simon
    8 days ago

    Hello, For now I confirm I'm authorized to connect if I do

    {
      "Effect": "Allow",
      "Action": "iot:Connect",
      "Resource": "*"
    }

    In my policy, and I'm also able to subscride and publich using specifig topic path.

    But as soon as I try to restricted my connect rules, I'm rejected. For example if I do

        {
      "Effect": "Allow",
      "Action": "iot:Connect",
      "Resource": "arn:aws:iot:eu-west-3:ACCOUNT_ID:client/CLIENT_ID"
    },

    I got this error in CloudWatch

    {
    "timestamp": "2025-05-06 08:28:02.800",
    "logLevel": "ERROR",
    "traceId": "removed",
    "accountId": "ACCOUNT_ID",
    "status": "Failure",
    "eventType": "Connect",
    "protocol": "MQTT",
    "clientId": "CLIENT_ID",
    "principalId": "removed",
    "sourceIp": "removed",
    "sourcePort": 55296,
    "reason": "AUTHORIZATION_FAILURE",
    "details": "Authorization Failure"
}

    I've verified, ACCOUNT_ID and CLIENT_ID are good, number shown in my log and number in my policy are the same. My things is name same as my CLIENT_ID

  • MassimilianoAWS EXPERT
    7 days ago

    Hi,

    am I correct that if you leave the wildcard in the iot:Connect statement, your device can connect, subscribe, publish and receive messages? That is, when using the following policy everything works?

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "iot:Connect",
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": "iot:Publish", 
      "Resource": "arn:aws:iot:eu-west-3:removed:topic/*"
    },
    {
      "Effect": "Allow",
      "Action": "iot:Subscribe",
      "Resource": "arn:aws:iot:eu-west-3:removed:topicfilter/TOP/359404230604599/*"
    },
    {
      "Effect": "Allow",
      "Action": "iot:Receive",
      "Resource": "arn:aws:iot:eu-west-3:removed:topic/*"
    }
  ]
}

    If this is not the case, please copy the error you get. Thanks.

  • MassimilianoAWS EXPERT
    7 days ago

    Could you also share the values of these 3 variables used by the Nordic library:

    CONFIG_AWS_IOT_CLIENT_ID_STATIC 
CONFIG_AWS_IOT_CLIENT_ID_APP
CONFIG_AWS_IOT_CLIENT_ID_MAX_LEN
0

When creating a less permissive policy for AWS IoT Core, there are a few key points to consider:

  1. Client ID restriction: To ensure that only the specific device can connect, you should restrict the iot:Connect action to use the thing name as the client ID. This can be done using the ${iot:Connection.Thing.ThingName} policy variable.

  2. Topic structure: Make sure your topic structure in the policy exactly matches what your device is trying to publish to or subscribe to. The wildcard (*) at the end allows for subtopics.

  3. Resource ARNs: Ensure that your account ID and region are correct in the resource ARNs.

Based on your requirements, here's a suggested policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "iot:Connect",
      "Resource": "arn:aws:iot:eu-west-3:YOUR_ACCOUNT_ID:client/${iot:Connection.Thing.ThingName}",
      "Condition": {
        "StringEquals": {
          "iot:ClientId": "${iot:Connection.Thing.ThingName}"
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": "iot:Publish",
      "Resource": "arn:aws:iot:eu-west-3:YOUR_ACCOUNT_ID:topic/TOP/${iot:Connection.Thing.ThingName}/*"
    },
    {
      "Effect": "Allow",
      "Action": "iot:Subscribe",
      "Resource": "arn:aws:iot:eu-west-3:YOUR_ACCOUNT_ID:topicfilter/TOP/${iot:Connection.Thing.ThingName}/*"
    },
    {
      "Effect": "Allow",
      "Action": "iot:Receive",
      "Resource": "arn:aws:iot:eu-west-3:YOUR_ACCOUNT_ID:topic/TOP/${iot:Connection.Thing.ThingName}/*"
    }
  ]
}

This policy:

  1. Restricts the Connect action to only allow connections with a client ID matching the thing name.
  2. Allows publishing, subscribing, and receiving on topics that start with "/TOP/[ThingName]/" and can have any subtopics after that.
  3. Uses the ${iot:Connection.Thing.ThingName} variable to dynamically insert the thing name into the topic structure.

Make sure to replace YOUR_ACCOUNT_ID with your actual AWS account ID.

If you're still experiencing issues after applying this policy, double-check that:

  1. The thing name in AWS IoT Core exactly matches the client ID your device is using to connect.
  2. The topic structure in your device code matches what's specified in the policy.
  3. The certificate associated with the thing is activated and properly attached to both the thing and this policy.

Remember, when using the ${iot:Connection.Thing.ThingName} variable, the client ID used to connect must exactly match the thing name for the policy to work correctly.
Sources
Policy Thing Problem | AWS re:Post
New needed IoT publish permissions from Lambda | AWS re:Post

profile picture
re:Post Agent
answered 9 days ago
  • Simon
    8 days ago

    I've just try the solution privide by IA, same result I got an AUTHORIZATION_FAILURE. The only working solution is usinng *, as soon as I try to add omething other than * I'm rejected

    {
    "timestamp": "2025-05-05 13:28:51.911",
    "logLevel": "ERROR",
    "traceId": "-----------",
    "accountId": "same_as_my_arn",
    "status": "Failure",
    "eventType": "Connect",
    "protocol": "MQTT",
    "clientId": "same_as_my_thing_name",
    "principalId": "------------",
    "sourceIp": "removed",
    "sourcePort": 49617,
    "reason": "AUTHORIZATION_FAILURE",
    "details": "Authorization Failure"
}

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content