• State Not Answered
  • Replies 3 replies
  • Subscribers 74 subscribers
  • Views 87 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 344712
Options

aws_iot_connect with policie and client_id

simon884

Hi all,

I have a custom board with an 9151, I want to use mqtt with aws, it's works I'm able to connect aws, but I have a question about

aws_iot_connect()

If I want to be able to connect on AWS, I have to use a very simple policie like that:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "iot:*",
      "Resource": "*"
    }
  ]
}

But If I try to use something like that

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "iot:Connect",
        "iot:Publish",
        "iot:Receive",
        "iot:Subscribe"
      ],
      "Resource": [
        "arn:aws:iot:*******:client/TryIt",
        "arn:aws:iot:*******:topic/ABC/359404230602222/*",
        "arn:aws:iot:*******:topicfilter/ABC/359404230602222/*"
      ]
    }
  ]
}

AWS reject me as soon as I try to connect, so if I understand well TryIt is my client_id so here is what I've done in my main

	LOG_INF("Connecting to AWS IoT");

	struct aws_iot_config config = {
		.client_id = "TryIt"
	};

	err = aws_iot_connect(&config);
	if (err) {
		LOG_ERR("aws_iot_connect, error: %d", err);
	}

Why I've missed ?

Parents
  • 0

    Hi,

    Is your application based on any of our samples?

    Can you provide complete log which shows the rejection from AWS?

    Best regards,
    Dejan

  • 0 in reply to dejans

    Hi,

    Yes my source code is base on https://devzone.nordicsemi.com/guides/cellular-iot-guides/b/software-and-protocols/posts/connecting-to-aws-cloud-services-using-the-nrf9160

    So here is the log outuput after calling aws_iot_connect()

    AWS_IOT_EVT_DISCONNECTED
[00:04:59.030,700] <err> mqtt_helper: Cloud MQTT input error: -128
[00:05:26.609,771] <err> aws_iot: Timed out waiting for subscription acknowledgments
[00:05:26.609,863] <err> mqtt_helper: Library is in the wrong state (MQTT_STATE_DISCONNECTED), MQTT_STATE_CONNECTED required
[00:05:26.609,863] <err> aws_iot: mqtt_helper_disconnect, error: -95
[00:05:26.609,893] <err> aws_iot_connect, error: -11

    And my policiy for the test ( can publish, subscrid in all topics in datas/top/*) I use ${iot:Connection.Thing.ThingName} for connect rules, so in my config I set

    	LOG_INF("Connecting to AWS IoT");

	struct aws_iot_config config = {
		.client_id = "XXXX"
	};

	err = aws_iot_connect(&config);
	if (err) {
		LOG_ERR("aws_iot_connect, error: %d", err);
	}

    Where XXXX is equal at my object name in aws iot core.

    My JSON polocy

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "iot:Connect"
      ],
      "Resource": [
        "arn:aws:iot:eu-west-3:876997124557:client/${iot:Connection.Thing.ThingName}"
      ],
      "Condition": {
        "Bool": {
          "iot:Connection.Thing.IsAttached": "true"
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": [
        "iot:Publish"
      ],
      "Resource": [
        "arn:aws:iot:eu-west-3:XXXX:topic/datas/top/*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "iot:Subscribe"
      ],
      "Resource": [
        "arn:aws:iot:eu-west-3:XXXX:topicfilter/datas/top/*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "iot:Receive"
      ],
      "Resource": [
        "arn:aws:iot:eu-west-3:XXXX:topic/datas/top/*"
      ]
    }
  ]
}

    I don't know if the problem is coming from JSON policy or certs ? The only way for me to log in is to put a permissive policy with 

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "iot:*",
      "Resource": "*"
    }
  ]
}

  • 0 in reply to simon884

    Hi,

    You could first double-check that your policy matches subscribe/publish requests. Afterwards you should subscribe to AWS IoT lifecycle events to find out disconnection cause.

    Best regards,
    Dejan

Reply Children
No Data
Related
Terms of service