By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

IAM policies specific to device name

0

I am writing a Greengrass component and would like to use aws iot-data get-thing-shadow to fetch the shadow of the current device. Specifically, the full command is: aws iot-data get-thing-shadow --thing-name "${AWS_IOT_THING_NAME}" --shadow-name "${my_shadow_name}" "shadow.json" At the moment, I have the following (temporary) IOT Policy attached to the device:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "*",
      "Resource": "*"
    }
  ]
}

The relevant portions of the IAM policy for the assumed role is:

        {
            "Action": "iot:Receive",
            "Effect": "Allow",
            "Resource": "arn:aws:iot:[MY_REGION]:[MY_ACCOUNT]:topic/$aws/things/${iot:Connection.Thing.ThingName}/shadow/name/*/{topic}",
            "Sid": "ReadDeviceShadow"
        },
        {
            "Action": "iot:Subscribe",
            "Effect": "Allow",
            "Resource": "arn:aws:iot:[MY_REGION]:[MY_ACCOUNT]:topicfilter/$aws/things/${iot:Connection.Thing.ThingName}/shadow/name/*/{topic}",
            "Sid": "SubscribeDeviceShadow"
        },
        {
            "Action": "iot:Publish",
            "Effect": "Allow",
            "Resource": "arn:aws:iot:[MY_REGION]:[MY_ACCOUNT]:topic/$aws/things/${iot:Connection.Thing.ThingName}/shadow/name/*/{topic}",
            "Sid": "WriteDeviceShadow"
        },
        {
            "Action": [
                "iot:ListNamedShadowsForThing",
                "iot:GetThingShadow",
                "iot:UpdateThingShadow",
                "iot:DeleteThingShadow"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:iot:[MY_REGION]:[MY_ACCOUNT]:thing/*",
            "Sid": "AllowGreengrassAccessToShadows"
        }

This does work and correctly fetches the named shadow. However, I'd like to make the resource in that last block more specific, so things can only fetch their own shadow. These are the resources I have tried, and all result in an error of An error occurred (ForbiddenException) when calling the GetThingShadow operation: None.:

arn:aws:iot:[MY_REGION]:[MY_ACCOUNT]:thing/${iot:Connection.Thing.ThingName}
arn:aws:iot:[MY_REGION]:[MY_ACCOUNT]:thing/${iot:Connection.Thing.ThingName}*
arn:aws:iot:[MY_REGION]:[MY_ACCOUNT]:thing/${iot:Connection.Thing.ThingName}**
arn:aws:iot:[MY_REGION]:[MY_ACCOUNT]:thing/**${iot:Connection.Thing.ThingName}**

Is it possible to filter GetThingShadow to a caller's own thing name in the IAM policy? Is this filtering only possible by the IoT policy? What is the correct resource here? I have found multiple conflicting sources on the correct resource to use for these operations.

Topics
Internet of Things (IoT)Security, Identity, & Compliance
Tags
AWS IoT GreengrassAWS IoT CoreAWS Identity and Access ManagementIAM Policies
Language
English
rePost-User-7535284
asked a year ago238 views
1 Answer
0

Hi, did you try to write you policy with IAM conditions using the Thing ARN to write the right condition?

See section Amazon Resource Name (ARN) condition operators of https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html

profile pictureAWS
EXPERT
Didier_Durand
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content