Create an OTA Update service role - FreeRTOS
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Create an OTA Update service role

The OTA Update service assumes this role to create and manage OTA update jobs on your behalf.

To create an OTA service role

  1. Sign in to the https://console.amazonaws.cn/iam/.

  2. From the navigation pane, choose Roles.

  3. Choose Create role.

  4. Under Select type of trusted entity, choose Amazon Service.

  5. Choose IoT from the list of Amazon services.

  6. Under Select your use case, choose IoT.

  7. Choose Next: Permissions.

  8. Choose Next: Tags.

  9. Choose Next: Review.

  10. Enter a role name and description, and then choose Create role.

For more information about IAM roles, see IAM Roles.

Important

To address the confused deputy security issue, you must follow instructions in the Amazon IoT Core guide.

To add OTA update permissions to your OTA service role

  1. In the search box on the IAM console page, enter the name of your role, and then choose it from the list.

  2. Choose Attach policies.

  3. In the Search box, enter "AmazonFreeRTOSOTAUpdate", select AmazonFreeRTOSOTAUpdate from the list of filtered policies, and then choose Attach policy to attach the policy to your service role.

To add the required IAM permissions to your OTA service role

  1. In the search box on the IAM console page, enter the name of your role, and then choose it from the list.

  2. Choose Add inline policy.

  3. Choose the JSON tab.

  4. Copy and paste the following policy document into the text box:

    {
    "Version": "2012-10-17",
    "Statement": [
      {
            "Effect": "Allow",
            "Action": [
                "iam:GetRole",
                "iam:PassRole"
            ],
            "Resource": "arn:aws-cn:iam::your_account_id:role/your_role_name"
      }
    ]
}

    Make sure that you replace your_account_id with your Amazon account ID, and your_role_name with the name of the OTA service role.

  5. Choose Review policy.

  6. Enter a name for the policy, and then choose Create policy.

Note

The following procedure isn't required if your Amazon S3 bucket name begins with "afr-ota". If it does, the Amazon managed policy AmazonFreeRTOSOTAUpdate already includes the required permissions.

To add the required Amazon S3 permissions to your OTA service role

  1. In the search box on the IAM console page, enter the name of your role, and then choose it from the list.

  2. Choose Add inline policy.

  3. Choose the JSON tab.

  4. Copy and paste the following policy document into the box.

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObjectVersion",
                "s3:GetObject",
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws-cn:s3:::example-bucket/*"
            ]
        }
    ]
}

    This policy grants your OTA service role permission to read Amazon S3 objects. Make sure that you replace example-bucket with the name of your bucket.

  5. Choose Review policy.

  6. Enter a name for the policy, and then choose Create policy.