Granting an AWS IoT rule the access it requires - AWS IoT Core

Granting an AWS IoT rule the access it requires

Use IAM roles to control the AWS resources to which each rule has access. Before you create a rule, you must create an IAM role with a policy that allows access to the required AWS resources. AWS IoT assumes this role when implementing a rule.

Complete the following steps to create the IAM role and AWS IoT policy that grant an AWS IoT rule the access it requires (AWS CLI).
  1. Save the following trust policy document, which grants AWS IoT permission to assume the role, to a file named iot-role-trust.json.

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "aws:SourceAccount": "123456789012" }, "ArnLike": { "aws:SourceArn": "arn:aws:iot:us-east-1:123456789012:rule/rulename" } } } ] }

    Use the create-role command to create an IAM role specifying the iot-role-trust.json file:

    aws iam create-role --role-name my-iot-role --assume-role-policy-document file://iot-role-trust.json

    The output of this command looks like the following:

    { "Role": { "AssumeRolePolicyDocument": "url-encoded-json", "RoleId": "AKIAIOSFODNN7EXAMPLE", "CreateDate": "2015-09-30T18:43:32.821Z", "RoleName": "my-iot-role", "Path": "/", "Arn": "arn:aws:iam::123456789012:role/my-iot-role" } }
  2. Save the following JSON into a file named my-iot-policy.json.

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "dynamodb:*", "Resource": "*" } ] }

    This JSON is an example policy document that grants AWS IoT administrator access to DynamoDB.

    Use the create-policy command to grant AWS IoT access to your AWS resources upon assuming the role, passing in the my-iot-policy.json file:

    aws iam create-policy --policy-name my-iot-policy --policy-document file://my-iot-policy.json

    For more information about how to grant access to AWS services in policies for AWS IoT, see Create a rule.

    The output of the create-policy command contains the ARN of the policy. Attach the policy to a role.

    { "Policy": { "PolicyName": "my-iot-policy", "CreateDate": "2015-09-30T19:31:18.620Z", "AttachmentCount": 0, "IsAttachable": true, "PolicyId": "ZXR6A36LTYANPAI7NJ5UV", "DefaultVersionId": "v1", "Path": "/", "Arn": "arn:aws:iam::123456789012:policy/my-iot-policy", "UpdateDate": "2015-09-30T19:31:18.620Z" } }
  3. Use the attach-role-policy command to attach your policy to your role:

    aws iam attach-role-policy --role-name my-iot-role --policy-arn "arn:aws:iam::123456789012:policy/my-iot-policy"