Table Of Contents


User Guide

First time using the AWS CLI? See the User Guide for help getting started.

[ aws . iot ]



Gets a list of the policies that have an effect on the authorization behavior of the specified device when it connects to the AWS IoT device gateway.

See also: AWS API Documentation

See 'aws help' for descriptions of global parameters.


[--principal <value>]
[--cognito-identity-pool-id <value>]
[--thing-name <value>]
[--cli-input-json <value>]
[--generate-cli-skeleton <value>]


--principal (string)

The principal.

--cognito-identity-pool-id (string)

The Cognito identity pool ID.

--thing-name (string)

The thing name.

--cli-input-json (string) Performs service operation based on the JSON string provided. The JSON string follows the format provided by --generate-cli-skeleton. If other arguments are provided on the command line, the CLI values will override the JSON-provided values. It is not possible to pass arbitrary binary values using a JSON-provided value as the string will be taken literally.

--generate-cli-skeleton (string) Prints a JSON skeleton to standard output without sending an API request. If provided with no value or the value input, prints a sample input JSON that can be used as an argument for --cli-input-json. If provided with the value output, it validates the command inputs and returns a sample output JSON for that command.

See 'aws help' for descriptions of global parameters.


To list the policies that effect a thing

The following get-effective-policies example lists the policies that effect the specified thing group, including policies attached to any groups to which it belongs.

aws iot get-effective-policies \
    --thing-name MyLightBulb \
    --principal "arn:aws:iot:us-west-2:123456789012:cert/4f0ba725787aa94d67d2fca420eca022242532e8b3c58e7465c7778b443fd65e"


    "effectivePolicies": [
            "policyName": "MyTestGroup_Core-policy",
            "policyArn": "arn:aws:iot:us-west-2:123456789012:policy/MyTestGroup_Core-policy",
            "policyDocument": "{\n  \"Version\": \"2012-10-17\",\n  \"Statement\": [\n    {\n      \"Effect\": \"Allow\",\n      \"Action\": [\n        \"iot:Publish\",\n        \"iot:Subscribe\",\n        \"iot:Connect\",\n        \"iot:Receive\"\n      ],\n      \"Resource\": [\n        \"*\"\n      ]\n    },\n    {\n      \"Effect\": \"Allow\",\n      \"Action\": [\n        \"iot:GetThingShadow\",\n        \"iot:UpdateThingShadow\",\n        \"iot:DeleteThingShadow\"\n      ],\n      \"Resource\": [\n        \"*\"\n      ]\n    },\n    {\n      \"Effect\": \"Allow\",\n      \"Action\": [\n        \"greengrass:*\"\n      ],\n      \"Resource\": [\n        \"*\"\n      ]\n    }\n  ]\n}"
            "policyName": "UpdateDeviceCertPolicy",
            "policyArn": "arn:aws:iot:us-west-2:123456789012:policy/UpdateDeviceCertPolicy",
            "policyDocument": "{ \"Version\": \"2012-10-17\", \"Statement\": [ { \"Effect\": \"Allow\", \"Action\":  \"iot:UpdateCertificate\", \"Resource\": \"*\" } ] }"

For more information, see Get Effective Policies for a Thing in the AWS IoT Developers Guide.


effectivePolicies -> (list)

The effective policies.


The policy that has the effect on the authorization results.

policyName -> (string)

The policy name.

policyArn -> (string)

The policy ARN.

policyDocument -> (string)

The IAM policy document.