By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

how to set a proper policy for the role attached to a republish rule in IoT

0

I've a rule (republish_generic2) with the following query statement:
SELECT topic(2) as device_id, temperature FROM 'things/+/pub'
and with a republish action, republishing to the following topic:
things/${topic(2)}/sub

thus with a substitution template.
(i've defined a role along with the rule)
additionally I've added an error topic: error/2

I had also created a similar rule (republish_1) but republishing to things/device1/sub (so without using a substitution template)

When publishing to things/device1/pub with the republish_1 rule nicely appears the message at the things/device1/sub topic.
However the republish_generic2 rule isn’t able to publish at the same topic. The error/2 topic receives the following:
{
"ruleName": "republish_generic2",
"topic": "things/device1/pub",
"cloudwatchTraceId": "xxxxx",
"clientId": "xxxx",
"base64OriginalPayload": "ewogICJ0ZW1wZXJhdHVyZSI6IDI4LAogICJodW1pZGl0eSI6IDgwLAogICJiYXJvbWV0ZXIiOiAxMDEzLAogICJ3aW5kIjogewogICAgInZlbG9jaXR5IjogMjIsCiAgICAiYmVhcmluZyI6IDI1NQogIH0KfQ==",
"failures": [
{
"failedAction": "RepublishAction",
"failedResource": "things/device1/sub",
"errorMessage": "Failed to republish to topic. Received Server error. The error code is 403. Message arrived on: things/device1/pub, Topic: things/device1/sub"
}
]
}
The rule works correctly, also the substitution template, but it seems that there is now an additionally permission required when using a substitution template. But I can not find out what and how. I’ve did some trail and error, but that leads to nothing. I could find something in the documentation that indeed an additional permission is needed when using a substitution template, but how exactly I couldn’t find.

A snippet of my current policy document:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iot:Publish",
"iot:Receive",
"iot:Republish"
],
"Resource": [
"arn:aws:iot::topic/things/*/pub",
"arn:aws:iot::topic/things//sub",
"arn:aws:iot::topic/things/device1/sub",
"arn:aws:iam::service-role/republish_generic_role2",
""
]

Does anyone can tell me what I’ve to do exactly to solve this issue?

Topics
Internet of Things (IoT)
Tags
AWS IoT Core
Language
English
djAnton
asked 3 years ago423 views
1 Answer
1

After some more digging I was able to answer the question myself:

First of all I came to the insight that the policy document that can be edited in the IoT Console handles the permissions of the Client that connects to the IoT Core and not the permissions of other AWS Resources.

I recreated the solution but this time not by using the AWS console, but by setting it up via the AWS CLI. That is quite verbose, but following the steps it works after all. A few steps involves the creation of the role and policy to be added to the rule. When I create that policy and attach that to the already created republish rule with the substitution template, it works also.
So it seems to me a bug in the AWS Console that it doesn't create a proper policy in case a substitution template is used in the rule's destination topic.

djAnton
answered 3 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content