How do you grant iot:DescribeEndpoint to a lambda?
0
How do you add an action to a default lambda role?
const p = new iam.ServicePrincipal('lambda.amazonaws.com');
const role = new iam.Role(this, "someExecRoleID", {
roleName: "someExecRole",
assumedBy: p
});
role.grant(p, "iot:DescribeEndpoint");
const serviceLambda = new nodejs.NodejsFunction(this, "WashnetEndpoints", {
/* stuff deleted */
handler: "getMqttEndpoint",
role: role,
}
);
Is this because I'm assuming the lambda.aws.com service principal?
"AccessDeniedException: User: arn:aws:sts::312345678:assumed-role/blah is not authorized to perform: iot:DescribeEndpoint because no identity-based policy allows the iot:DescribeEndpoint action",
Language
English
asked a year ago651 views
2 Answers
- Newest
- Most votes
- Most comments
1
Found the documentation (that's often the hardest part!) ... seems like resource '*' is what's required.
answered a year ago
0
Unless there is some security problem with what I did, I think I figured it out:
const role = new iam.Role(this,
"myExecRole_id", {
roleName: "myExecRole",
assumedBy: p
});
role.attachInlinePolicy(new iam.Policy(this, 'describe-endpoint-policy', {
statements: [new iam.PolicyStatement({
actions: ['iot:DescribeEndpoint'],
resources: [*]
})],
}));
though I feel like the resource should be something specific to my account, like
resources: [`arn:aws:iot:*:${this.env.account}:*`]`
That, however, is not correct. The ARN service must not be 'iot' . Maybe it does not matter because the action starts iot: but it seems like I should want to specify a more specific resource than * here?
answered a year ago
Relevant content
- Accepted Answerasked 2 years ago
- asked 6 months ago
AWS OFFICIALUpdated 2 years ago- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 5 months ago
- AWS OFFICIALUpdated 3 years ago
Correct! Some IoT APIs will not have resources associated with them, so
*is appropriate. I use this page to map API calls to what resources can be included in IAM/IoT Policy actions.