aws-iot: How to attach an IoT Policy to a Thing Group
lautip opened this issue · comments
Describe the feature
IoT Core allows to attach an IoT Policy to a Thing Group, but 'CfnPolicyPrincipalAttachment' fails at deploy time if we the pass principal as CfnThingGroup..attrArn.
The error message is:
12:12:40 PM | CREATE_FAILED | AWS::IoT::PolicyPrincipalAttachment | quarPolicyAttachment
The given ARN does not represent a cert (Service: AWSIot; Status Code: 400; Error Code: InvalidRequestException; Request ID: 8018ecbf-38ff-4493-93c8-6e3a183abb0b; Proxy: null)****
Use Case
User wants to attach an IoT Policy to a Thing Group.
One common case is to create a Quarantine group used to isolate Things with unexpected behaviour.
Proposed Solution
CfnPolicyPrincipalAttachment to accept a Thing Group ARN for a Static Group.
Other Information
No response
Acknowledgements
- I may be able to implement this feature request
- This feature might incur a breaking change
CDK version used
aws-cdk@2.85.0
Environment details (OS name and version, etc.)
Clou9 on Linux
Thanks for the report.
IoT Core allows to attach an IoT Policy to a Thing Group
Do you have any document link about this?
And, can you share your CDK code that returns the error? It sounds like a limit from cloudformation so we need to make sure it does support.
Doc:
look for "Attach or detach a policy to or from a group." in https://docs.aws.amazon.com/iot/latest/developerguide/thing-groups.html
My code:
// Create thing groups
const publishersThingGroup = new aws_iot.CfnThingGroup(this, "publishersThingGroup", {
thingGroupName: 'cognienPublishers',
thingGroupProperties: { thingGroupDescription: 'Members of this group will be allowed to publish on specific topics' },
});
// Create IoT Policy
const publishersPolicyDoc = {
Version: "2012-10-17",
Statement: [{
Effect: "Allow",
Action: [
"iot:Publish"
],
Resource: [ "*" ]
}
]
};
const publishersPolicy = new aws_iot.CfnPolicy(this, 'publishersPolicy', {
policyName: "cognienPublishersPolicy",
policyDocument: publishersPolicyDoc,
});
//Attach policy to Group
const pubPolicyAttachment = new aws_iot.CfnPolicyPrincipalAttachment(this, "pubPolicyAttachment", {
policyName: publishersPolicy.policyName || "",
principal: publishersThingGroup.attrArn,
});
pubPolicyAttachment is throwing the error at deploy time.
As far as I know, unfortunately CloudFormation AWS::IoT::ThingPrincipalAttachment
cannot attach to a ThingGroup. So we need to use CLI or web console.
Hi @raziza , I have marked this appropriately to be taken up by the cloudfomation team. Please feel free to reach out to Cloudformation
team for inclusion of this issue by following the guidelines mentioned in their coverage roadmap.
Linking related issue: #18872
AttachPolicyRequest attachPolicyRequest = new AttachPolicyRequest()
.withPolicyName(policyName)
.withTarget(createThingResult.getThingName());
awsIot.attachPolicy(attachPolicyRequest);
After using the above code facing the below all permission are enabled and checked its perfectly without SDK policy will attach.
com.amazonaws.services.iot.model.InvalidRequestException: Invalid Target (Service: AWSIot; Status Code: 400; Error Code: InvalidRequestException; Request ID: cd9b955e-0b17-4cf1-b493-4f696e1367dd; Proxy: null)