By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How do you set your policy to allow a device to subscribe to jobs?

0

I got my policy working for my primary app logic. It can now connect, subscribe and receive ONLY via its unique, verified ThingName. It is not allowed to publish anything.

But I'd also like to run the jobs-agent.js script from the sdk examples so I can reboot and perform other tasks. These used to work for me, but don't anymore and I have verified that it's because the jobs-agent can't subscribe to the appropriate topics. (It works again when I change the policy to "*".)

Reading the jobs-agent.js file, I see jobs are in the form "$aws/things/{thingName}/jobs/#" but nothing in the policy documentation shows how to handle this form.

How do you write a policy to allow for a device to subscribe to topics of the form $aws/things/{thingName}/jobs/#?

Topics
Internet of Things (IoT)
Tags
AWS IoT Core
Language
English
Cyrus
asked 5 years ago188 views
1 Answer
0

Nailed it. This policy grants access to my application logic (ThingName/) and the jobs in the form that aws-iot-device-sdk-js/examples/jobs-agent.js wants them ($aws/things/ThingName/jobs/).

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "iot:Connect"
      ],
      "Resource": [
        "arn:aws:iot:us-east-1:MYACCOUNTID:client/${iot:Connection.Thing.ThingName}"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "iot:Subscribe"
      ],
      "Resource": [
        "arn:aws:iot:us-east-1:MYACCOUNTID:topicfilter/${iot:Connection.Thing.ThingName}/*",
        "arn:aws:iot:us-east-1:MYACCOUNTID:topicfilter/$aws/things/${iot:Connection.Thing.ThingName}/jobs/*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "iot:Receive"
      ],
      "Resource": [
        "arn:aws:iot:us-east-1:MYACCOUNTID:topic/${iot:Connection.Thing.ThingName}/*",
        "arn:aws:iot:us-east-1:MYACCOUNTID:topic/$aws/things/${iot:Connection.Thing.ThingName}/jobs/*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "iot:Publish"
      ],
      "Resource": [
        "arn:aws:iot:us-east-1:MYACCOUNTID:topic/$aws/things/${iot:Connection.Thing.ThingName}/jobs/*"
      ]
    }
  ]
}
Cyrus
answered 5 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content