AWS IOT - Credential should be scoped to correct service

Question

I am trying to access a simple AWS IOT REST service but I have not been able to do so successfully yet. Here is what I did.

1. I created an iam user in my aws and downloaded the access key and secret key
2. Logged into AWS IOT with that user and created a "thing"
3. From the thing's property I found the REST URL for the shadow
4. Used Postman with the new "aws signature" feature and provided it with the access key, secret key, region (us-east-1) and service name (iot)

5. Tried to "GET" the endpoint and this is what I got -

   { "message": "Credential should be scoped to correct service. ", "traceId": "be056198-d202-455f-ab85-805defd1260d" }

6. I thought there is something wrong with postman so I tried using aws-sdk-sample example of connecting to S3 and changed it to connect to the IOT URL. Here is my program snippet (Java)

   String awsAccessKey = "fasfasfasdfsdafs";
   String awsSecretKey = "asdfasdfasfasdfasdfasdf/asdfsdafsd/fsdafasdf";
   
   URL  endpointUrl = null;
   String regionName = "us-east-1";
   try {
       endpointUrl = new URL("https://dasfsdfasdf.iot.us-east-1.amazonaws.com/things/SOMETHING/shadow");
   }catch (Exception e){
       e.printStackTrace();
   }
   Map<String, String> headers = new HashMap<String, String>();
   headers.put("x-amz-content-sha256", AWSSignerBase.EMPTY_BODY_SHA256);
   
   AWSSignerForAuthorizationHeader signer = new AWSSignerForAuthorizationHeader(
           endpointUrl, "GET", "iot", regionName);
   String authorization = signer.computeSignature(headers,
           null, // no query parameters
           AWSSignerBase.EMPTY_BODY_SHA256,
           awsAccessKey,
           awsSecretKey);
   
   // place the computed signature into a formatted 'Authorization' header
   // and call S3
   headers.put("Authorization", authorization);
   String response = HttpUtils.invokeHttpRequest(endpointUrl, "GET", headers, null);
   System.out.println("--------- Response content ---------");
   System.out.println(response);
   System.out.println("------------------------------------");
   

This gives me the same error -

--------- Request headers ---------
x-amz-content-sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
Authorization: AWS4-HMAC-SHA256 Credential=fasfasfasdfsdafs/20160212/us-east-1/iot/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=3b2194051a8dde8fe617219c78c2a79b77ec92338028e9e917a74e8307f4e914
x-amz-date: 20160212T182525Z
Host: dasfsdfasdf.iot.us-east-1.amazonaws.com
--------- Response content ---------
{"message":"Credential should be scoped to correct service. ","traceId":"cd3e0d96-82fa-4da5-a4e1-b736af6c5e34"}
------------------------------------

Can someone tell me what I am doing wrong please? AWS documentation does not have much information on this error. Please help

Answer 1

In your 4th step, don't fill anything for Service Name. Postman will default the value with execute-api.

Hope this works!

Answer 2

Its basically due to Service name is not given correctly you can use service Name = 'iotdata' instead of iot.

If you user Key management then Service Name would be kms. For EC2 Service Name would be ec2 etc.

Answer 3

Sign your request with iotdata instead if iot
example:

AWSSignerForAuthorizationHeader signer = new AWSSignerForAuthorizationHeader(
    endpointUrl, "GET", "iotdata", regionName);

Answer 4

Use the AWS IoT SDK for Node.js instead. Download the IoT Console generated private key and client cert as well as the CA Root cert from here. Start with the scripts in the examples directory.