- Newest
- Most votes
- Most comments
In AWS IoT, IoT policies are attached to the device certificate and optionally can be inherited from IoT policies attached to the Thing Group. To validate the effective applied IoT policy , best is to work backwards from the device certificate:
Specify the device certificate file name to test, confirm the AWS region and AWS Account
export DEVICE_CRT=dd001.crt
export ACCOUNT_ID=$(aws sts get-caller-identity --query 'Account' --output text)
export AWS_REGION=eu-west-1
Compute the sha256 fingerprint using the device certificate file name
export CERTIFICATE_ID=$(openssl x509 -noout -fingerprint -sha256 -inform pem -in $DEVICE_CRT | cut -c 20- | tr -d : | tr A-F a-f)
export PRINCIPAL_ID=arn:aws:iot:${AWS_REGION}:${ACCOUNT_ID}:cert/${CERTIFICATE_ID}
Check if the certificate is registered in AWS IoT
aws iot describe-certificate --certificate-id $CERTIFICATE_ID
Find the Thing attached to this certificate in AWS IoT. The command below takes the first Thing attached to the certificate, if you have more than one Thing attached to your certificate you need to adapt the command below.
export THING_NAME=$(aws iot list-principal-things --principal $PRINCIPAL_ID --query 'things[0]' --output text)
Retrieve the effective IoT policy for this Thing, so the IoT policies attached to the certificate and the inherited policies from Thing Groups.
aws iot get-effective-policies --thing-name $THING_NAME --principal $PRINCIPAL_ID
{
"effectivePolicies": [
{
"policyName": "E81FC...",
"policyArn": "arn:aws:iot:eu-west-1:299807768844:policy/E81FCE....",
"policyDocument": "{ \"Version\": \"2012-10-17\", \"Statement\": [{ \"Effect\": \"Allow\", \"Action\":[\"iot:*\"], \"Resource\": [\"*\"] }] }"
}
]
}
Verify that you don't have any policies inherited from Thing Groups that deny publishing.
Hello Jan,
Thank you so much for your answer. Indeed, it appears that the policy I gave you did not correspond to the effectivePolicies policy document I retrieved using your method. I can indeed publish to the topics indicated by the policies attached to my certificate.
If you don't mind, Please you share a document guide to connect AWS IoT Core MQTT by Mosquitto. I have some problem that it maybe like as your problem but my problem is occurred when Mosquitto try to connect to AWS IoT Core. I'm find some way to connect to it and that document may help me for this situation.
Thank You
Relevant content
- asked a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated 9 months ago