Granting an Amazon IoT rule the access it requires - Amazon IoT Core
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Granting an Amazon IoT rule the access it requires

Use IAM roles to control the Amazon resources to which each rule has access. Before you create a rule, you must create an IAM role with a policy that allows access to the required Amazon resources. Amazon IoT assumes this role when implementing a rule.

Complete the following steps to create the IAM role and Amazon IoT policy that grant an Amazon IoT rule the access it requires (Amazon CLI).

  1. Save the following trust policy document, which grants Amazon IoT permission to assume the role, to a file named iot-role-trust.json.

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "iot.amazonaws.com"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                    "aws:SourceAccount": "123456789012"
                },
                "ArnLike": {
                    "aws:SourceArn": "arn:aws:iot:us-east-1:123456789012:rule/rulename"
                }
            }
        }
    ]
}

    Use the create-role command to create an IAM role specifying the iot-role-trust.json file:

    aws iam create-role --role-name my-iot-role --assume-role-policy-document file://iot-role-trust.json

    The output of this command looks like the following:

    {
	"Role": {
		"AssumeRolePolicyDocument": "url-encoded-json",
		"RoleId": "AKIAIOSFODNN7EXAMPLE",
		"CreateDate": "2015-09-30T18:43:32.821Z",
		"RoleName": "my-iot-role",
		"Path": "/",
		"Arn": "arn:aws:iam::123456789012:role/my-iot-role"
	}
}

  2. Save the following JSON into a file named my-iot-policy.json.

    {
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Action": "dynamodb:*",
			"Resource": "*"
		}
	]
}

    This JSON is an example policy document that grants Amazon IoT administrator access to DynamoDB.

    Use the create-policy command to grant Amazon IoT access to your Amazon resources upon assuming the role, passing in the my-iot-policy.json file:

    aws iam create-policy --policy-name my-iot-policy --policy-document file://my-iot-policy.json

    For more information about how to grant access to Amazon Web Services in policies for Amazon IoT, see Creating an Amazon IoT rule.

    The output of the create-policy command contains the ARN of the policy. Attach the policy to a role.

    {
	"Policy": {
		"PolicyName": "my-iot-policy",
		"CreateDate": "2015-09-30T19:31:18.620Z",
		"AttachmentCount": 0,
		"IsAttachable": true,
		"PolicyId": "ZXR6A36LTYANPAI7NJ5UV",
		"DefaultVersionId": "v1",
		"Path": "/",
		"Arn": "arn:aws:iam::123456789012:policy/my-iot-policy",
		"UpdateDate": "2015-09-30T19:31:18.620Z"
	}
}

  3. Use the attach-role-policy command to attach your policy to your role:

    aws iam attach-role-policy --role-name my-iot-role --policy-arn "arn:aws:iam::123456789012:policy/my-iot-policy"