I am publishing messages from temperature sensor to AWS IoT Core using AWSIoTPythonSDK. When I am explicitly specifying topics as Resource in certificate policy I am getting AUTHORIZATION_ERROR in Cloudwatch
Note: PrincipleID (Certificate Name) changed for security
2020-02-22T20:03:48.371-07:00
2020-02-23 03:03:48.371 TRACEID:2a0de6c8-dd28-586e-671f-119de983b5d5 PRINCIPALID:9ec115f5665XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX0d7d6b7 /ERROR/ EVENT:PublishEvent TOPICNAME:topic/tSensor01/tempmon MESSAGE:PublishIn Status: AUTHORIZATION_ERROR Failure reason:AUTHORIZATION_FAILURE
@ingestionTime
1582427034767
@log
549210374177:AWSIotLogs
@logStream
a2d5c94d-f908-4e76-bd9e-3627976e8b72_549210374177_0
@message
2020-02-23 03:03:48.371 TRACEID:2a0de6c8-dd28-586e-671f-119de983b5d5 PRINCIPALID:9ec115f5665XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX0d7d6b7 /ERROR/ EVENT:PublishEvent TOPICNAME:topic/tSensor01/tempmon MESSAGE:PublishIn Status: AUTHORIZATION_ERROR Failure reason:AUTHORIZATION_FAILURE
Here is my certificate policy (showing only the iot:Publish) which is causing AUTHORIZATION_ERROR
"Statement": [
{
"Effect": "Allow",
"Action": [
"iot:Publish",
"iot:Receive"
],
"Resource": [
"arn:aws:iot:<region>:<account id>:topic/${iot:Connection.Thing.ThingName}/*",
"arn:aws:iot:<region>:<account id>:topic/${iot:ClientId}/*",
"arn:aws:iot:<region>:<account id>:topic/tSensor01/*",
"arn:aws:iot:<region>:<account id>:topic/tSensor01/tempmon"
]
},
However to isolate the problem I used brute force method (not acceptable) by adding following line arn:aws:iot:::* into the policy and messages from device are getting published.
{
"Effect": "Allow",
"Action": [
"iot:Publish",
"iot:Receive"
],
"Resource": [
"arn:aws:iot:<region>:<account id>:topic/${iot:Connection.Thing.ThingName}/*",
"arn:aws:iot:<region>:<account id>:topic/${iot:ClientId}/*",
"arn:aws:iot:<region>:<account id>:topic/tSensor01/*",
"arn:aws:iot:<region>:<account id>:topic/tSensor01/tempmon",
"arn:aws:iot:<region>:<account id>:*"
]
},
Such brute force method is unaccptable and I would like to know the root cause.
Device connection works fine. So it is safe to assume that my credential information is not an issue
Following shows connection trace in Cloudwatch log
2020-02-22T20:03:48.314-07:00
2020-02-23 03:03:48.314 TRACEID:f801f2bb-147f-5c94-2e2e-7d63d7cacd26 PRINCIPALID:9ec115f5665XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX0d7d6b7 /INFO/ EVENT:MQTT Client Connect MESSAGE:Connect Status: SUCCESS
@ingestionTime
1582427034767
@log
549210374177:AWSIotLogs
@logStream
a2d5c94d-f908-4e76-bd9e-3627976e8b72_549210374177_0
@message
2020-02-23 03:03:48.314 TRACEID:f801f2bb-147f-5c94-2e2e-7d63d7cacd26 PRINCIPALID:9ec115f5665XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX0d7d6b7 /INFO/ EVENT:MQTT Client Connect MESSAGE:Connect Status: SUCCESS
Thanks
I was able to resolve the issue. There was no problem in the certificate policy. The issue was the argument I was passing to AWS Device SDK. I was passing topic/tSensor01/tempmon Instead when I passed tSensor01/tempmon to the SDK it resolved the issue. topic can be thought as a service and should NOT be passed to SDK