search

aws / aws-iot-device-sdk-embedded-C

SDK for connecting to AWS IoT from a device using embedded C.
MIT License
975 stars 623 forks source link

Publish/subscribe failed with specific resource arn for AWS freeRTOS demo applications #1838

Closed SruthiAlajangi-AlifSemi closed 1 year ago

SruthiAlajangi-AlifSemi commented 1 year ago

Hi, i am using mqtt mutual authentication demo application from amazon-freertos sdk which is attached here. Demo application is successfully working with resource as * in my AWS thing's attached policy, but if i give specific resource for publish & subscribe action, both the actions are failing. Can anyone suggest what can be the possible ways to fix this. topic name in my application : Alif_thing/example/topic. Below is the policy attached to my created on AWS console.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "iot:Connect", "Resource": "" }, { "Effect": "Allow", "Action": "iot:Receive", "Resource": "" }, { "Effect": "Allow", "Action": "iot:Publish", "Resource": "arn:aws:iot:us-east-2:account-id:topic/Alif_thing/example/topic" }, { "Effect": "Allow", "Action": "iot:Subscribe", "Resource": "arn:aws:iot:us-east-2:account-id:topicfilter/Alif_thing/example/topic" } ] }

jasonpcarroll commented 1 year ago

Hi @sruthi1209,

For your privacy and security I have removed your account ID from your post.

The above policy is very strict (only allows the device to subscribe and publish to one topic), though looks like it should work for the demo in question as long as democonfigCLIENT_IDENTIFIER "/example/topic" evaluates to "Alif_thing/example/topic", the thing is on the us-east-2 region of your AWS account, and you are having the device connect to the us-east-2 endpoint for your account. So those would be some things to check.

Could you try setting the publish resource to "arn:aws:iot:us-east-2:account-id:topic/*" and the subscribe resource to "arn:aws:iot:us-east-2:account-id:topicfilter/*", replacing account-id with your account-id. This effectively allows the device to publish and subscribe to any topic on that account in the us-east-2 region. If that doesn't work then one of the above issues is probably why it isn't working.

I should also mention that Amazon-FreeRTOS is deprecated, but I will try to recreate your issue on my end using the coreMQTT mutual auth demo from this repository.

Best,

Jason Carroll

SruthiAlajangi-AlifSemi commented 1 year ago

Hi @jasonpcarroll,

Thanks for the response. Its working now with specific topic policy, My endpoint is in different region and in policy i have given different one, modified this and its working.