AWS-IoT: Access denied exception when calling get-registration-code

Question

I am following the steps to register a device in AWS-IoT. I am doing the steps described by AWS to use a self-signed certificate. The step three of the tutorial indicates the following command:

aws iot get-registration-code

But I am getting the following exception:

$ aws iot get-registration-code

An error occurred (AccessDeniedException) when calling the GetRegistrationCode operation: User: arn:aws:iam::xxxxxxxx:user/dalton is not authorized to perform: iot:GetRegistrationCode on resource: *

It is not clear how I can assign the right permissions. At IAM Management Console, I assigned the following permissions to my user:

AWSIoTThingsRegistration

AWSIoTLogging

AWSIoTConfigAccess

AWSIoTRuleActions

AWSIoTConfigReadOnlyAccess

AWSQuickSightIoTAnalyticsAccess

AWSIoTOTAUpdate

AWSIoTDataAccess

AWSIoTFullAccess

Still without success.

Answer 1

AWSIoTFullAccess defines this policy :

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "iot:*"
            ],
            "Resource": "*"
        }
    ]
}

So with that you will be able to execute the call according to the IAM IoT policies. When attaching a new policy it only take a few seconds before it goes into effect on the CLI.

You need to :

• Double check your IAM policies and ensure that the user that is using the CLI uses indeed uses the aws credentials (key and secret) that matches the IAM user that has the AWSIoTFullAccess.
• Double check the AWS account number if you're using multiple accounts.
• Run the AWS IAM Policy Simulator and verify the output.