View a markdown version of this page

IAM users, groups, and roles - Amazon IoT Core
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

IAM users, groups, and roles

IAM users, groups, and roles are the standard mechanisms for managing identity and authentication in Amazon. You can use them to connect to Amazon IoT HTTP interfaces using the Amazon SDK and Amazon CLI.

IAM roles also allow Amazon IoT to access other Amazon resources in your account on your behalf. For example, if you want to have a device publish its state to a DynamoDB table, IAM roles allow Amazon IoT to interact with Amazon DynamoDB. For more information, see IAM Roles.

For message broker connections over HTTP, Amazon IoT authenticates users, groups, and roles using the Signature Version 4 signing process. For information, see Signing Amazon API Requests.

When authenticating requests using query parameters with temporary security credentials provided by Amazon Security Token Service (Amazon STS), do not include X-Amz-Security-Token in the canonical query string when calculating the signature. Instead, append X-Amz-Security-Token as a query parameter after the signature has been computed. This differs from some other Amazon services that require the security token to be part of the canonical request. For more information, see Signing requests with temporary security credentials.

Note

The Amazon IoT Device SDKs handle this signing behavior automatically. If you are implementing custom signing code, refer to the SDK source for reference:

When using Amazon Signature Version 4 with Amazon IoT, clients must support the following in their TLS implementation:

  • TLS 1.2

  • SHA-256 RSA certificate signature validation

  • One of the cipher suites from the TLS cipher suite support section

For information, see Identity and access management for Amazon IoT.