By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

What is the appropriate aws iot provisioning by claim policy?

0

I recently started having an issue with provisioning devices. I had previously been using the following policy definition, for quite some time:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "iot:Connect",
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": "iot:Publish",
      "Resource": "arn:aws:iot:[location:id]:topic/$aws/certificates/create/*"
    },
    {
      "Effect": "Allow",
      "Action": "iot:Publish",
      "Resource": "arn:aws:iot:[location:id]:topic/$aws/provisioning-templates/birthing_template/provision/*"
    },
    {
      "Effect": "Allow",
      "Action": "iot:Receive",
      "Resource": "arn:aws:iot:[location:id]:topic/$aws/certificates/create/*"
    },
    {
      "Effect": "Allow",
      "Action": "iot:Receive",
      "Resource": "arn:aws:iot:[location:id]:topic/$aws/provisioning-templates/birthing_template/provision/*"
    },
    {
      "Effect": "Allow",
      "Action": "iot:Subscribe",
      "Resource": "arn:aws:iot:[location:id]:topic/$aws/certificates/create/*"
    },
    {
      "Effect": "Allow",
      "Action": "iot:Subscribe",
      "Resource": "arn:aws:iot:[location:id]:topic/$aws/provisioning-templates/birthing_template/provision/*"
    }
  ]
}

However, recently devices started to fail when provisioning. Looking at the Cloudwatch logs I would get something like:

{
    "timestamp": "2024-02-14 17:02:02.503",
    "logLevel": "ERROR",
    "traceId": "2aeeb77f-7f45-7e3b-f2dc-d5893ed5d48d",
    "accountId": "ACCOUNTID",
    "status": "Failure",
    "eventType": "Subscribe",
    "protocol": "MQTT",
    "topicName": "$aws/provisioning-templates/birthing_template/provision/json/rejected",
    "clientId": "CLIENTID",
    "principalId": "PRINCIPALID",
    "sourceIp": "SOURCEIP",
    "sourcePort": 61801,
    "reason": "AUTHORIZATION_FAILURE",
    "details": "Authorization Failure"
}

I then changed:

    {
      "Effect": "Allow",
      "Action": "iot:Subscribe",
      "Resource": "arn:aws:iot:[location:id]:topic/$aws/provisioning-templates/birthing_template/provision/*"
    }

to:

    {
      "Effect": "Allow",
      "Action": "iot:Subscribe",
      "Resource": "*"
    }

And it started working. Is there something I'm missing? How is it that the previous template was working before?

Topics
Internet of Things (IoT)Security, Identity, & Compliance
Tags
AWS IoT CoreIAM Policies
Language
English
txf
asked 2 months ago83 views
1 Answer
1
Accepted Answer

Hi. Your policy has an error. For the Subscribe actions, the resource is a topicfilter not a topic.

https://docs.aws.amazon.com/iot/latest/developerguide/provision-wo-cert.html#claim-based

profile pictureAWS
EXPERT
Greg_B
answered 2 months ago
profile picture
EXPERT
Oleksii Bebych
reviewed a month ago
  • txf
    2 months ago

    very strange that the provisioning used to work with policy document as specified above. But I corrected it to use topicfilter and now it works, thank you.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content