Open lautip opened 1 year ago
Thanks for the report.
IoT Core allows to attach an IoT Policy to a Thing Group
Do you have any document link about this?
And, can you share your CDK code that returns the error? It sounds like a limit from cloudformation so we need to make sure it does support.
Doc: look for "Attach or detach a policy to or from a group." in https://docs.aws.amazon.com/iot/latest/developerguide/thing-groups.html
My code:
// Create thing groups const publishersThingGroup = new aws_iot.CfnThingGroup(this, "publishersThingGroup", { thingGroupName: 'cognienPublishers', thingGroupProperties: { thingGroupDescription: 'Members of this group will be allowed to publish on specific topics' }, });
// Create IoT Policy const publishersPolicyDoc = { Version: "2012-10-17", Statement: [{ Effect: "Allow", Action: [ "iot:Publish" ], Resource: [ "*" ] } ] };
const publishersPolicy = new aws_iot.CfnPolicy(this, 'publishersPolicy', { policyName: "cognienPublishersPolicy", policyDocument: publishersPolicyDoc, });
//Attach policy to Group const pubPolicyAttachment = new aws_iot.CfnPolicyPrincipalAttachment(this, "pubPolicyAttachment", { policyName: publishersPolicy.policyName || "", principal: publishersThingGroup.attrArn, });
pubPolicyAttachment is throwing the error at deploy time.
As far as I know, unfortunately CloudFormation AWS::IoT::ThingPrincipalAttachment
cannot attach to a ThingGroup. So we need to use CLI or web console.
Hi @raziza , I have marked this appropriately to be taken up by the cloudfomation team. Please feel free to reach out to Cloudformation
team for inclusion of this issue by following the guidelines mentioned in their coverage roadmap.
Linking related issue: https://github.com/aws/aws-cdk/issues/18872
AttachPolicyRequest attachPolicyRequest = new AttachPolicyRequest()
.withPolicyName(policyName)
.withTarget(createThingResult.getThingName());
awsIot.attachPolicy(attachPolicyRequest);
After using the above code facing the below all permission are enabled and checked its perfectly without SDK policy will attach. com.amazonaws.services.iot.model.InvalidRequestException: Invalid Target (Service: AWSIot; Status Code: 400; Error Code: InvalidRequestException; Request ID: cd9b955e-0b17-4cf1-b493-4f696e1367dd; Proxy: null)
When can I expect it to be implemented in CF and CDK?
Describe the feature
IoT Core allows to attach an IoT Policy to a Thing Group, but 'CfnPolicyPrincipalAttachment' fails at deploy time if we the pass principal as CfnThingGroup..attrArn. The error message is: 12:12:40 PM | CREATE_FAILED | AWS::IoT::PolicyPrincipalAttachment | quarPolicyAttachment The given ARN does not represent a cert (Service: AWSIot; Status Code: 400; Error Code: InvalidRequestException; Request ID: 8018ecbf-38ff-4493-93c8-6e3a183abb0b; Proxy: null)****
Use Case
User wants to attach an IoT Policy to a Thing Group. One common case is to create a Quarantine group used to isolate Things with unexpected behaviour.
Proposed Solution
CfnPolicyPrincipalAttachment to accept a Thing Group ARN for a Static Group.
Other Information
No response
Acknowledgements
CDK version used
aws-cdk@2.85.0
Environment details (OS name and version, etc.)
Clou9 on Linux