Updating Shadow without "Action": "iot:UpdateThingShadow" in policy

[anubhav1]

My device had following policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "iot:Connect",
        "iot:Publish",
        "iot:Subscribe",
        "iot:Receive",
        "greengrass:Discover"
      ],
      "Resource": [
        "*"
      ]
    }
  ]
}

I used the aws_iot_shadow_update() of the sdk and I am able to update the shadow successfully. How it is possible to update the shadow without without "Action": "iot:UpdateThingShadow" in policy?

[aggarw13]

Hi @anubhav1, to understand the behavior you are noticing, can you clarify the following?

• Can you confirm that the above policy is used for the device certificate that is attached to the IoT Thing resource on your AWS IoT account that you are using for the Shadow application?
• How are you noticing that the Shadow Update operation is being completed successfully? Do you notice that the update is reflected for the Thing on the AWS IoT console?

[anubhav1]

• Yes I double checked it. Above policy is used for my IoT thing. Infact it is the only Thing policy in my IoT core.
• I can see shadow metadata version changing in AWS console. And in function:

  void ShadowUpdateStatusCallback(const char *pThingName, ShadowActions_t action, Shadow_Ack_Status_t status,
                              const char *pReceivedJsonDocument, void *pContextData)

  I am getting SHADOW_ACK_ACCEPTED status. Also my callback function carDoor_callback is getting called on published delta.

    jsonStruct_t carDoor;
    carDoor.cb = carDoor_callback;
    carDoor.pData = &carDoorOpen;
    carDoor.pKey = "carDoorOpen";
    carDoor.type = SHADOW_JSON_BOOL;
    carDoor.dataLength = sizeof(carDoorOpen);

All these things are not supposed to happen.

[aggarw13]

@anubhav1. thanks for your responses and confirmation about seeing Shadow updates on the console. I am able to see the same behavior with the policy you provided.

I checked internally with the IoT Shadow service team, and received information that the iot:UpdateThingShadow policy action is only applicable for HTTP requests. For MQTT communication, as long as the policy contains the iot:Publish action, the Shadow Update/Delete/Get operations can be successfully executed by PUBLISHing to their MQTT topics.

We will look into updating the AWS documentation for IoT Core Policy Actions to clarify that the Shadow Policy actions are only applicable to HTTP requests.

[anubhav1]

I think it will be confusing for developers to have same policies behaving differently on different protocols. Also policy action names are self-explanatory. For example, iot:UpdateThingShadow is supposed to update the shadow only.

[aggarw13]

I agree that the policy action name can be confusing. Unfortunately, as the policy action has been already available, we will update the documentation to clearly mention that the Shadow Action Policies are only relevant for HTTP requests.

For example, there is already a note for the Job Execution Policy Actions (for AWS IoT Jobs service APIs) in the AWS documentation that the policies are relevant only for HTTP requests.

[anubhav1]

Alright!