Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

New needed IoT publish permissions from Lambda

0

Hello,

When I try to use an IoT publish function from my new Lambda's I keep getting an error:

*** "ERROR ClientError: An error occurred (ForbiddenException) when calling the Publish operation: None

I have old Lambda IoT publishers that only need AWS IoT permission policy's attached to transmit data to the MQTT test client in AWS IoT Core. What new permissions do Lambdas in Pythion and Node need now to publish IoT data?

thanks

Topics
ServerlessComputeInternet of Things (IoT)Security, Identity, & Compliance
Tags
IAM PoliciesAWS IoT CoreAWS Lambda
Language
English
asked a year ago1.3K views
1 Answer
2
Accepted Answer

To resolve the ForbiddenException error you're encountering when trying to publish IoT data from your new Lambda functions, you need to ensure that the Lambda function has the necessary permissions to interact with AWS IoT Core. The issue is likely related to insufficient permissions for your Lambda function to publish MQTT messages.

Here are the steps you should take to grant the required permissions:

  1. You need to add the appropriate AWS IoT permissions to your Lambda function's execution role. The most relevant policy for this purpose is the AWSIoTDataAccess managed policy. This policy grants permissions for all AWS IoT data operations, including publishing messages.

  2. If you prefer to use a more fine-grained approach, you can create a custom IAM policy that includes the specific IoT permissions needed for publishing. The key permission you need is "iot:Publish".

  3. Attach the chosen policy (either AWSIoTDataAccess or your custom policy) to your Lambda function's execution role.

  4. Additionally, you need to grant AWS IoT permission to invoke your Lambda function. This is done by adding a resource-based policy to your Lambda function. You can do this using the AWS CLI or through the AWS Management Console.

Using the AWS CLI, you can add the necessary permission with a command like this:

aws lambda add-permission --function-name your-function-name \
--statement-id iot-permission --action "lambda:InvokeFunction" \
--principal iot.amazonaws.com

Replace "your-function-name" with the actual name of your Lambda function.

These steps should be sufficient to allow your Lambda functions (both Python and Node.js) to publish IoT data. If you're still encountering issues after implementing these changes, double-check that your Lambda function code is correctly configured to publish to the intended IoT topic and that you're using the AWS SDK properly in your function code.

Remember, the exact permissions needed may vary depending on your specific use case and security requirements. Always follow the principle of least privilege when assigning permissions.

Sources
AWS managed policies for AWS IoT - AWS IoT Core
Using AWS Lambda with AWS IoT - AWS Lambda
AWS IoT Core now supports private certificate authorities with fleet provisioning | The Internet of Things on AWS – Official Blog

answered a year ago
EXPERT
reviewed a year ago
  • SteveB123
    a year ago

    Thank you, I have done this, but for some reason I'm having issues. As long as the permission policy's have not been changed at AWS In the last year then it must be another issue that is my fault. Thanks for your help

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content