Managing jobs - Amazon IoT Core
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Managing jobs

Use jobs to notify devices of a software or firmware update. You can use the Amazon IoT console, the Job management and control API operations, the Amazon Command Line Interface, or the Amazon SDKs to create and manage jobs.

Code signing for jobs

When sending code to devices, for devices to detect whether the code has been modified in transit, we recommend that you sign the code file by using the Amazon CLI. For instructions, see Create and manage jobs by using the Amazon CLI.

For more information, see What Is Code Signing for Amazon IoT?.

Job document

Before you create a job, you must create a job document. If you're using code signing for Amazon IoT, you must upload your job document to a versioned Amazon S3 bucket. For more information about creating an Amazon S3 bucket and uploading files to it, see Getting Started with Amazon Simple Storage Service in the Amazon S3 Getting Started Guide.


For job document examples, see the jobs-agent.js example in the Amazon IoT SDK for JavaScript.

Presigned URLs

Your job document can contain a presigned Amazon S3 URL that points to your code file (or other file). Presigned Amazon S3 URLs are valid only for a limited amount of time and are generated when a device requests a job document. Because the presigned URL isn't created when you're creating the job document, use a placeholder URL in your job document instead. A placeholder URL looks like the following:

${aws:iot:s3-presigned-url:<bucket>/<code file>}


  • bucket is the Amazon S3 bucket that contains the code file.

  • code file is the Amazon S3 key of the code file.

When a device requests the job document, Amazon IoT generates the presigned URL and replaces the placeholder URL with the presigned URL. Your job document is then sent to the device.

IAM role to grant permission to download files from S3

When you create a job that uses presigned Amazon S3 URLs, you must provide an IAM role. The role must grant permission to download files from the Amazon S3 bucket where the data or updates are stored. The role must also grant permission for Amazon IoT to assume the role.

You can specify an optional timeout for the presigned URL. For more information, see CreateJob.

Grant Amazon IoT Jobs permission to assume your role
  1. Go to the Roles hub of the IAM console and choose your role.

  2. On the Trust Relationships tab, choose Edit Trust Relationship and replace the policy document with the following JSON. Choose Update Trust Policy.

    { "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": [ "" ] }, "Action": "sts:AssumeRole" } ] }
  3. To protect against the confused deputy problem, add the global condition context keys aws:SourceArn and aws:SourceAccount to the policy.


    Your aws:SourceArn must comply with the format: arn:aws:iot:region:account-id:*. Make sure that region matches your Amazon IoT Region and account-id matches your customer account ID. For more information, see Cross-service confused deputy prevention.

    { "Effect": "Allow", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "aws:SourceAccount": "123456789012" }, "ArnLike": { "aws:SourceArn": "arn:aws:iot:*:123456789012:job/*" } } } ] }
  4. If your job uses a job document that's an Amazon S3 object, choose Permissions and use the following JSON. This adds a policy that grants permission to download files from your Amazon S3 bucket:

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::your_S3_bucket/*" } ] }