humana.fragilitas
Reputation: 21
Dynamic AWS::accountId and AWS::region in a device provisioning template policy document
I am trying to implement IoT device provisioning in AWS by trusted user via provisioning template.
My provisioning template is as follows:
{
"Parameters": {
"ThingName" : {
"Type" : "String"
},
"Company": {
"Type" : "String"
}
},
"Resources" : {
"thing" : {
"Type" : "AWS::IoT::Thing",
"Properties" : {
"ThingName" : {"Ref" : "ThingName"},
"AttributePayload" : {
"Company" : {"Ref" : "Company"}
},
"ThingTypeName" : "My-Thing-Type"
},
"OverrideSettings" : {
"AttributePayload" : "REPLACE",
"ThingTypeName" : "REPLACE"
}
},
"certificate" : {
"Type" : "AWS::IoT::Certificate",
"Properties": {
"CertificateId": {"Ref": "AWS::IoT::Certificate::Id"},
"Status" : "ACTIVE"
}
},
"policy" : {
"Type" : "AWS::IoT::Policy",
"Properties" : {
"PolicyDocument" : {
"Fn::Sub": [
"{\"Version\": \"2012-10-17\", \"Statement\": [{\"Effect\": \"Allow\", \"Action\": \"iot:Connect\", \"Resource\": \"arn:aws:iot:${AWS::Region}:${AWS::AccountId}:client/${ThingName}\"}, {\"Effect\": \"Allow\", \"Action\": \"iot:Subscribe\", \"Resource\": \"arn:aws:iot:${AWS::Region}:${AWS::AccountId}:topicfilter/companies/${Company}/devices/${ThingName}/events\" }, { \"Effect\": \"Allow\", \"Action\": \"iot:Receive\", \"Resource\": \"arn:aws:iot:${AWS::Region}:${AWS::AccountId}:topic/companies/${Company}/devices/${ThingName}/events\"} , { \"Effect\": \"Allow\", \"Action\": \"iot:Publish\", \"Resource\": \"arn:aws:iot:${AWS::Region}:${AWS::AccountId}:topic/companies/${Company}/devices/${ThingName}/events\" }]}",
{
"ThingName":{
"Ref":"ThingName"
},
"Company":{
"Ref":"Company"
}
}
]
}
}
}
}
}
I would expect the AWS::Region and AWS::AccountId reserved variables to be automatically replaced upon provisioning, but they remain unchanged in the created policy document.
I then tried to expressly pass the following further arguments to the Fn::Sub:
"AWS::Region":{
"Ref":"AWS::Region"
},
"AWS::AccountId":{
"Ref":"AWS::AccountId"
}
But an error sent to the $aws/provisioning-templates/{MY-PROVISIONING-TEMPLATE-NAME}/provision/json topic indicates that the variables cannot be resolved: {"statusCode":400,"errorCode":"InvalidParameters","errorMessage":"Cannot resolve reference value: AWS::Region"}.
Upvotes: 0
Views: 49
Answers (0)
Related Questions
- AWS Greengrass V2 Fleet Provisioning thing policy problem
- How do I publish a message to an IoT thing topic on AWS using HTTPS and Postman?
- How does an IOT device connect with AWS IOT using a provisioning claim certificate during device provisioning?
- why I not receiving on_message callback from AWS iot core
- AWS IOT : Just in Time provisioning (JITP) supporting additional attributes in Thing
- AWS IoT policy not inserting policy variables (iot:ClientId)
- Limit/Block MQTT publish limit from thing in AWS IoT
- AWS IoT Policyin Android doesnt work with custom topic
- How to delete aws iot things and policies?
- Authorization error while connecting to AWS IoT after attaching the device object to connection client