aws-iot: How to attach an IoT Policy to a Thing Group

Question

aws-iot: How to attach an IoT Policy to a Thing Group

lautip opened this issue a year ago · comments

Describe the feature

IoT Core allows to attach an IoT Policy to a Thing Group, but 'CfnPolicyPrincipalAttachment' fails at deploy time if we the pass principal as CfnThingGroup..attrArn.
The error message is:
12:12:40 PM | CREATE_FAILED | AWS::IoT::PolicyPrincipalAttachment | quarPolicyAttachment
The given ARN does not represent a cert (Service: AWSIot; Status Code: 400; Error Code: InvalidRequestException; Request ID: 8018ecbf-38ff-4493-93c8-6e3a183abb0b; Proxy: null)****

Use Case

User wants to attach an IoT Policy to a Thing Group.
One common case is to create a Quarantine group used to isolate Things with unexpected behaviour.

Proposed Solution

CfnPolicyPrincipalAttachment to accept a Thing Group ARN for a Static Group.

Other Information

No response

Acknowledgements

I may be able to implement this feature request
This feature might incur a breaking change

CDK version used

aws-cdk@2.85.0

Environment details (OS name and version, etc.)

Clou9 on Linux

Pahud Hsieh · Answer 1 · Fri Jun 30 2023 03:20:45 GMT+0800 (China Standard Time)

Thanks for the report.

IoT Core allows to attach an IoT Policy to a Thing Group

Do you have any document link about this?

And, can you share your CDK code that returns the error? It sounds like a limit from cloudformation so we need to make sure it does support.

Philippe Lautier · Answer 2 · Fri Jun 30 2023 16:39:26 GMT+0800 (China Standard Time)

Doc:
look for "Attach or detach a policy to or from a group." in https://docs.aws.amazon.com/iot/latest/developerguide/thing-groups.html

Philippe Lautier · Answer 3 · Fri Jun 30 2023 16:49:56 GMT+0800 (China Standard Time)

My code:

// Create thing groups
const publishersThingGroup = new aws_iot.CfnThingGroup(this, "publishersThingGroup", {
thingGroupName: 'cognienPublishers',
thingGroupProperties: { thingGroupDescription: 'Members of this group will be allowed to publish on specific topics' },
});

// Create IoT Policy
const publishersPolicyDoc = {
Version: "2012-10-17",
Statement: [{
Effect: "Allow",
Action: [
"iot:Publish"
],
Resource: [ "*" ]
}
]
};

const publishersPolicy = new aws_iot.CfnPolicy(this, 'publishersPolicy', {
policyName: "cognienPublishersPolicy",
policyDocument: publishersPolicyDoc,
});

//Attach policy to Group
const pubPolicyAttachment = new aws_iot.CfnPolicyPrincipalAttachment(this, "pubPolicyAttachment", {
policyName: publishersPolicy.policyName || "",
principal: publishersThingGroup.attrArn,
});

pubPolicyAttachment is throwing the error at deploy time.

Tatsuya Yamamoto · Answer 4 · Mon Jul 17 2023 17:33:47 GMT+0800 (China Standard Time)

As far as I know, unfortunately CloudFormation AWS::IoT::ThingPrincipalAttachment cannot attach to a ThingGroup. So we need to use CLI or web console.

Raz · Answer 5 · Wed Jul 19 2023 21:59:27 GMT+0800 (China Standard Time)

Added a new feature request for it: here

Shailja Khurana · Answer 6 · Thu Jul 20 2023 02:26:44 GMT+0800 (China Standard Time)

Hi @raziza , I have marked this appropriately to be taken up by the cloudfomation team. Please feel free to reach out to Cloudformation team for inclusion of this issue by following the guidelines mentioned in their coverage roadmap.