Subscribe action failing from client with fleet provisioning specific topic resource in claim policy

aws / aws-iot-device-sdk-embedded-C

SDK for connecting to AWS IoT from a device using embedded C.

MIT License

975 stars 623 forks source link

Subscribe action failing from client with fleet provisioning specific topic resource in claim policy #1833

Closed SruthiAlajangi-AlifSemi closed 1 year ago

SruthiAlajangi-AlifSemi commented 1 year ago

I am working on FreeRTOS based fleet provisioning by claim application, i am using fleet provisioning library provided in this sdk, and this mqtt interface i could connect to AWS IoT with claim credentials. When i try to subscribe to fleet provisioning topics, it is failing if i give specific resource in subscribe action of claim policy, but if i give '*' as resource for subscribe,publish&receive actions i could connect, subscribe, receive certificate and private key from AWS and also i could receive name of new thing created. Is there any other way to achieve this. Below is my claim policy where i am giving fleet provisioning by claim specific resources.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "iot:Connect"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "iot:Publish",
        "iot:Receive"
      ],
      "Resource": [
        "arn:aws:iot:us-west-2:4xxxxxxxxxx3:topic/$aws/certificates/create/*",
        "arn:aws:iot:us-west-2:4xxxxxxxxxx3:topic/$aws/provisioning-templates/fleet_provisioning_template/provision/*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": "iot:Subscribe",
      "Resource": [
        "arn:aws:iot:us-west-2:4xxxxxxxxxx3:topicfilter/$aws/certificates/create/*",
        "arn:aws:iot:us-west-2:4xxxxxxxxxx3:topicfilter/$aws/provisioning-templates/fleet_provisioning_template/provision/*"
      ]
    }
  ]
}

paulbartell commented 1 year ago

@sruthi1209 : I updated your post to remove private details (your AWS account ID).

Could you clarify which tutorial or demo you are following?

If you are using the create-from-csr api call rather than the create api call, I believe you need to modify your policy document as follows: replace

$aws/certificates/create/*

with

$aws/certificates/create-from-csr/*

The fleet provisioning demo directory in this repository contains an Example Policy when using the create-from-csr api call.

Another useful reference for fleet provisioning using this library is located in the FreeRTOS Plus AWS Fleet Provisioning Demo, particularly DemoSetup directory which includes a script to deploy and tear down the necessary stack (including policy docs) via CloudFormation.

jasonpcarroll commented 1 year ago

Closing for now. Feel free to reopen.