search

aws / aws-cdk

The AWS Cloud Development Kit is a framework for defining cloud infrastructure in code
https://aws.amazon.com/cdk
Apache License 2.0
11.59k stars 3.89k forks source link

aws-iot: How to attach an IoT Policy to a Thing Group #26166

Open lautip opened 1 year ago

lautip commented 1 year ago

Describe the feature

IoT Core allows to attach an IoT Policy to a Thing Group, but 'CfnPolicyPrincipalAttachment' fails at deploy time if we the pass principal as CfnThingGroup..attrArn. The error message is: 12:12:40 PM | CREATE_FAILED | AWS::IoT::PolicyPrincipalAttachment | quarPolicyAttachment The given ARN does not represent a cert (Service: AWSIot; Status Code: 400; Error Code: InvalidRequestException; Request ID: 8018ecbf-38ff-4493-93c8-6e3a183abb0b; Proxy: null)****

Use Case

User wants to attach an IoT Policy to a Thing Group. One common case is to create a Quarantine group used to isolate Things with unexpected behaviour.

Proposed Solution

CfnPolicyPrincipalAttachment to accept a Thing Group ARN for a Static Group.

Other Information

No response

Acknowledgements

CDK version used

aws-cdk@2.85.0

Environment details (OS name and version, etc.)

Clou9 on Linux

pahud commented 1 year ago

Thanks for the report.

IoT Core allows to attach an IoT Policy to a Thing Group

Do you have any document link about this?

And, can you share your CDK code that returns the error? It sounds like a limit from cloudformation so we need to make sure it does support.

lautip commented 1 year ago

Doc: look for "Attach or detach a policy to or from a group." in https://docs.aws.amazon.com/iot/latest/developerguide/thing-groups.html

lautip commented 1 year ago

My code:

// Create thing groups const publishersThingGroup = new aws_iot.CfnThingGroup(this, "publishersThingGroup", { thingGroupName: 'cognienPublishers', thingGroupProperties: { thingGroupDescription: 'Members of this group will be allowed to publish on specific topics' }, });

// Create IoT Policy const publishersPolicyDoc = { Version: "2012-10-17", Statement: [{ Effect: "Allow", Action: [ "iot:Publish" ], Resource: [ "*" ] } ] };

const publishersPolicy = new aws_iot.CfnPolicy(this, 'publishersPolicy', { policyName: "cognienPublishersPolicy", policyDocument: publishersPolicyDoc, });

//Attach policy to Group const pubPolicyAttachment = new aws_iot.CfnPolicyPrincipalAttachment(this, "pubPolicyAttachment", { policyName: publishersPolicy.policyName || "", principal: publishersThingGroup.attrArn, });

pubPolicyAttachment is throwing the error at deploy time.

yamatatsu commented 1 year ago

As far as I know, unfortunately CloudFormation AWS::IoT::ThingPrincipalAttachment cannot attach to a ThingGroup. So we need to use CLI or web console.

raziza commented 1 year ago

Added a new feature request for it: here

khushail commented 1 year ago

Hi @raziza , I have marked this appropriately to be taken up by the cloudfomation team. Please feel free to reach out to Cloudformation team for inclusion of this issue by following the guidelines mentioned in their coverage roadmap.

tim-finnigan commented 1 year ago

Linking related issue: https://github.com/aws/aws-cdk/issues/18872

PITPL-Chetan-Porwal commented 11 months ago 
        AttachPolicyRequest attachPolicyRequest = new AttachPolicyRequest()
                .withPolicyName(policyName)
                .withTarget(createThingResult.getThingName());
        awsIot.attachPolicy(attachPolicyRequest);

After using the above code facing the below all permission are enabled and checked its perfectly without SDK policy will attach. com.amazonaws.services.iot.model.InvalidRequestException: Invalid Target (Service: AWSIot; Status Code: 400; Error Code: InvalidRequestException; Request ID: cd9b955e-0b17-4cf1-b493-4f696e1367dd; Proxy: null)

mateuszboryn commented 1 day ago

When can I expect it to be implemented in CF and CDK?