Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Can you create Dynamic Role Policies for the TES when assuming a role?

0

I am wanting to know if it is possible to create one IAM policy that can be attached to multiple Roles and Role Aliases and/or Can I have one role alias for all my IoT Devices and set dynamic IAM Policies based on the Thingname.

As an example I need to scope permissions for each Greengrass Device for which AWS services they can access - I am uisng S3 as an example here but may be other services as well.

Could I create one Role Alias that all IoT Things/Core Devices can Assume, This role alias points to an IAM role which has a policy associated with it.

I want to be able to create a policy similar to the below (knowing that my example doesn't work): This will allow all devices to access the "devices" bucket but then scope the access to the Key that is prefixed with the ThingName.

I want to be able to do this as I know for my use case the devices will all follow the same pattern but want to isolate access from each other, without having to manage hundreds or thousands of policies.

Is this possible or is there an alternative I should look at?

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Action": [
				"s3:ListBucket",
				"s3:GetObject",
				"s3:PutObject"
			],
			"Resource": [
				"arn:aws:s3:::devices/${iot:Connection.Thing.ThingName}/*",
				"arn:aws:s3:::devices"
			],
			"Effect": "Allow"
		}
	]
}
Topics
Internet of Things (IoT)Security, Identity, & Compliance
Tags
IAM PoliciesAWS IoT CoreAWS IoT Greengrass
Language
English
asked 2 years ago511 views
2 Answers
2
Accepted Answer

The Token Exchange Service uses the AWS IoT Credential provider to obtain the credentials. From the developer guide, there are three policy variables that can be used:

For each AWS service that you want to call, attach an access policy to the role. The credentials provider supports the following policy variables:

credentials-iot:ThingName

credentials-iot:ThingTypeName

credentials-iot:AwsCertificateId

Which are then evaluated and provided to IAM only. E.g., These three variables work for IAM policies only, not AWS IoT Core policies.

So for your case of "arn:aws:s3:::devices/${iot:Connection.Thing.ThingName}/*", try using the following as the resource: "arn:aws:s3:::devices/${credentials-iot:ThingName}/*".

AWS
answered 2 years ago
EXPERT
reviewed 2 years ago
AWS
EXPERT
reviewed 2 years ago
  • Phil
    2 years ago

    This works perfectly! Thank you. I feel like it should be a more prominent solution in the documentation - having to only manage one policy makes managing the devices at scale very easy! I got this working directly from the IoT certificates but not yet tested through GG and the TES

    Does the GG Token Exchange Service pass the x-amzn-iot-thingname header when it makes the request? So I can rely on the fact the credentials-iot:ThingName will be availabe?

  • Gavin_A
    2 years ago

    Glad it's working Phil. As for thingName, I'm pretty sure it does as that's a parameter to the TES cloud helper. We'll pass along your comment to make more visible in the documentation too.

1

Hi Phil. iot:Connection.Thing.ThingName is only available in IoT policies. And only for actions performed over MQTT. So it can't be used in IAM policies.

Can you perhaps use presigned URLs instead?

https://aws.amazon.com/blogs/iot/securely-ingesting-large-sized-payloads-from-iot-devices-to-the-aws-cloud/

UPDATE: Gavin's answer is better.

AWS
EXPERT
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content