- Newest
- Most votes
- Most comments
Hello,
The issue lies with the unauthenticated access for Cognito Identity and the iam:PassRole
action in your policy.
Unauthenticated Access:
- You created a Cognito Identity for unauthenticated access, but the ota-job-role likely requires authentication to be assumed.
Policy Limitation:
- While your policy includes iam:PassRole and iam:GetRole, it might not allow passing the role to an unauthenticated user.
Possible Solutions:
-
Authenticate Users: If your use case allows, consider implementing user authentication for Cognito Identity to assume the ota-job-role.
-
Adjust Policy: Modify the policy attached to ota-job-role to explicitly allow the iam:PassRole action for the principal of your Cognito Identity (even if unauthenticated). However, this approach weakens security, so proceed with caution.
-
Managed Authentication: Explore using AWS SDK for JavaScript features like CognitoUser class for user authentication before creating the OTA job. This ensures proper credentials are used for assuming the role.
Review the documentation for CreateOTAUpdateCommand (https://docs.aws.amazon.com/iot/latest/apireference/API_CreateOTAUpdate.html) .
Relevant content
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated a year ago