Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Controlling access to AWS IoT policy actions for Cognito identities

Tags:

amazon-web-services

amazon-iam

amazon-cognito

Documentation for IAM state that the Resource-property for AttachUserPolicy and DetacherUserPolicy should be set to the user principal the managed policy will be attached to. While the documentation for iot:AttachPrincipalPolicy and iot:DetachPrincipalPolicy are not as detailed, the error message

AccessDeniedException: User: arn:aws:sts::ACCOUNT_ID:assumed-role/ROLE/CognitoIdentityCredentials is not authorized to perform: iot:AttachPrincipalPolicy on resource: COGNITO_ID

leads me to believe it expects an ARN for Cognito identity or identity pool. However, specifying ARNs shown in Cognito documentation result in the same error. Cognito identity ARNs also fail validation in the policy generator.

What resource should I specify so that iot:AttachPrincipalPolicy and iot:DetachPrincipalPolicy are permitted to attach/detach IoT policies on a Cognito identity?

like image 220
MrBink Avatar asked Jul 28 '16 12:07

MrBink

1 Answers

Using Cognito identities with AWS IoT has two slightly different paths. Cognito identity pools support identities which are either unauthenticated (any agent can get credentials) or authenticated (users tied to a provider like Cognito User Pools, Facebook, OpenID, etc). AWS IoT supports both cases when using Cognito to get credentials.

When using the unauthenticated case, you must attach a policy to the cognito_unauth_role that gets created with your Cognito identity pool. The Identity Access & Management (IAM) console is where you attach a policy to this role. To get started, try attaching the managed policy "AWSIoTDataAccess". Then, your unauthenticated Cognito IDs can get credentials (access key, secret key, session token) which are passed to AWS IoT to establish a connection.

When using the authenticated case, you must attach a policy to the cognito_auth_role that gets created with your Cognito identity pool AND the Cognito ID which is created for each authenticated entity. The AWS IoT API AttachPrincipalPolicy is what you use to attach an AWS IoT policy to the Cognito ID. The format of that API call in the CLI would be like: aws iot attach-principal-policy --policy-name myPolicy --principal us-east-1:abcd1234-5678-1234-abcd1234efgh. The principal in this case is the Cognito ID of the authenticated entity. Only with both policies in place will the credentials returned by Cognito work to make connections to AWS IoT.

like image 89
TheRyanBurke_AWS Avatar answered Oct 20 '22 01:10

TheRyanBurke_AWS
Sign in to Comment

Related questions

python requests lib is not working in amazon aws
Experiences and tips for programming with and for Amazon's cloud servers/apps/tools?
Confirm SNS subscription on HTTP
How to play a video from Amazon S3 in Android App?
Amazon Redshift how to copy from s3 and set a job_id
What is the difference between Amazon AMI and EBS snapshot
Loading credentials JSON with AWS SDK Results in Error
Do we need directory structure logic for storing millions of images on Amazon S3/Cloudfront?
AWS AutoScaling, downscale - wait for processes termination
Should I delete SNS endpoints for GCM?
Provide SSL certificate to PostgreSQL in a Rails app
npm install installing extra packages not specified in package.json
Sending a notification-only payload to GCM using AWS SNS
Is it possible to set up an AWS API Gateway endpoint for a Lambda function, using the AWS API?
AWS Code Deploy Failing Scripts Due To Permissions
How to configure "Instance Protection" over CloudFormation in AWS?
AWS Lambda Python libssl C Library
update list element in dynamodb
How do I reference one model from another model using aws API Gateway
Trouble deploying docker on AWS with ecs-cli

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!