Amazon FreeRTOS
User Guide

Creating an OTA User Policy

You must grant your IAM user permission to perform over-the-air updates. Your IAM user must have permissions to:

  • Access the S3 bucket where your firmware updates are stored.

  • Access certificates stored in AWS Certificate Manager.

  • Access the AWS IoT Streaming service.

  • Access Amazon FreeRTOS OTA updates.

  • Access AWS IoT jobs.

  • Access IAM.

  • Access Code Signing for Amazon FreeRTOS.

  • List Amazon FreeRTOS hardware platforms.

To grant your IAM user the required permissions, create an OTA user policy and then attach it to your IAM user. For more information, see IAM Policies.

To create an OTA user policy

  1. Open the https://console.aws.amazon.com/iam/ console.

  2. In the navigation pane, choose Users.

  3. Choose your IAM user from the list.

  4. Choose Add permissions.

  5. Choose Attach existing policies directly.

  6. Choose Create policy.

  7. Choose the JSON tab, and copy and paste the following policy document into the policy editor:

    { "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "s3:ListBucket", "s3:ListAllMyBuckets", "s3:CreateBucket", "s3:PutBucketVersioning", "s3:GetBucketLocation", "s3:GetObjectVersion", "acm:ImportCertificate", "acm:ListCertificates", "iot:*", "iam:ListRoles", "freertos:ListHardwarePlatforms", "freertos:DescribeHardwarePlatform" ], "Resource":"*" }, { "Effect":"Allow", "Action":[ "s3:GetObject", "s3:PutObject" ], "Resource":"arn:aws:s3:::<example-bucket>/*" }, { "Effect":"Allow", "Action":"iam:PassRole", "Resource":"arn:aws:iam::<your-account-id>:role/<role-name>" } ] }​

    Replace <example-bucket> with the name of the Amazon S3 bucket where your OTA update firmware image is stored. Replace <your-account-id> with your AWS account ID. You can find your AWS account ID in the upper right of the console. When you enter your account ID, remove any dashes (-). Replace <role-name> with the name of the IAM service role you just created.

  8. Choose Review policy.

  9. Enter a name for your new OTA user policy, and then choose Create policy.

To attach the OTA user policy to your IAM user

  1. In the IAM console, in the navigation pane, choose Users, and then choose your user.

  2. Choose Add permissions.

  3. Choose Attach existing policies directly.

  4. Search for the OTA user policy you just created and select the check box next to it.

  5. Choose Next: Review.

  6. Choose Add permissions.