TestAuthorization
Tests if a specified principal is authorized to perform an Amazon IoT action on a specified resource. Use this to test and debug the authorization behavior of devices that connect to the Amazon IoT device gateway.
Requires permission to access the TestAuthorization action.
Request Syntax
POST /test-authorization?clientId=clientId
HTTP/1.1
Content-type: application/json
{
"authInfos": [
{
"actionType": "string
",
"resources": [ "string
" ]
}
],
"cognitoIdentityPoolId": "string
",
"policyNamesToAdd": [ "string
" ],
"policyNamesToSkip": [ "string
" ],
"principal": "string
"
}
URI Request Parameters
The request uses the following URI parameters.
- clientId
-
The MQTT client ID.
Request Body
The request accepts the following data in JSON format.
- authInfos
-
A list of authorization info objects. Simulating authorization will create a response for each
authInfo
object in the list.Type: Array of AuthInfo objects
Array Members: Minimum number of 1 item. Maximum number of 10 items.
Required: Yes
- cognitoIdentityPoolId
-
The Cognito identity pool ID.
Type: String
Required: No
- policyNamesToAdd
-
When testing custom authorization, the policies specified here are treated as if they are attached to the principal being authorized.
Type: Array of strings
Length Constraints: Minimum length of 1. Maximum length of 128.
Pattern:
[\w+=,.@-]+
Required: No
- policyNamesToSkip
-
When testing custom authorization, the policies specified here are treated as if they are not attached to the principal being authorized.
Type: Array of strings
Length Constraints: Minimum length of 1. Maximum length of 128.
Pattern:
[\w+=,.@-]+
Required: No
- principal
-
The principal. Valid principals are CertificateArn (arn:aws:iot:region:accountId:cert/certificateId), thingGroupArn (arn:aws:iot:region:accountId:thinggroup/groupName) and CognitoId (region:id).
Type: String
Required: No
Response Syntax
HTTP/1.1 200
Content-type: application/json
{
"authResults": [
{
"allowed": {
"policies": [
{
"policyArn": "string",
"policyName": "string"
}
]
},
"authDecision": "string",
"authInfo": {
"actionType": "string",
"resources": [ "string" ]
},
"denied": {
"explicitDeny": {
"policies": [
{
"policyArn": "string",
"policyName": "string"
}
]
},
"implicitDeny": {
"policies": [
{
"policyArn": "string",
"policyName": "string"
}
]
}
},
"missingContextValues": [ "string" ]
}
]
}
Response Elements
If the action is successful, the service sends back an HTTP 200 response.
The following data is returned in JSON format by the service.
- authResults
-
The authentication results.
Type: Array of AuthResult objects
Errors
- InternalFailureException
-
An unexpected error has occurred.
HTTP Status Code: 500
- InvalidRequestException
-
The request is not valid.
HTTP Status Code: 400
- LimitExceededException
-
A limit has been exceeded.
HTTP Status Code: 410
- ResourceNotFoundException
-
The specified resource does not exist.
HTTP Status Code: 404
- ServiceUnavailableException
-
The service is temporarily unavailable.
HTTP Status Code: 503
- ThrottlingException
-
The rate exceeds the limit.
HTTP Status Code: 400
- UnauthorizedException
-
You are not authorized to perform this operation.
HTTP Status Code: 401
See Also
For more information about using this API in one of the language-specific Amazon SDKs, see the following: