Managing a stream in the Amazon Cloud
Amazon IoT provides Amazon SDK and Amazon CLI commands that you can use to manage a stream in the Amazon Cloud. You can use these commands to do the following:
Note
At this time, streams are not visible in the Amazon Web Services Management Console. You must use the Amazon CLI or
Amazon SDK to manage a stream in Amazon IoT. Also, Embedded C
SDK
Before you use Amazon IoT MQTT-based file delivery from your devices, you must ensure the following conditions are met for your devices as shown in the next sections:
-
A policy reflecting the correct permissions required for transmitting data via MQTT.
-
Your device can connect to the Amazon IoT Device Gateway.
-
A policy statement stating you can tag resources. If
CreateStream
is called with tags, theniot:TagResource
is required.
Before you use Amazon IoT MQTT-based file delivery from your devices, you must follow the steps in the next sections to make sure that your devices are properly authorized and can connect to the Amazon IoT Device Gateway.
Grant permissions to your devices
You can follow the steps in Create an Amazon IoT policy to create a device policy or use an existing device policy. Attach the policy to the certificates associated with your devices and add the following permissions to the device policy.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "arn:
partition
:iot:region
:accountID
:client/${iot:Connection.Thing.ThingName}" ] }, { "Effect": "Allow", "Action": [ "iot:Receive", "iot:Publish" ], "Resource": [ "arn:partition
:iot:region
:accountID
:topic/$aws/things/${iot:Connection.Thing.ThingName}/streams/*" ] }, { "Effect": "Allow", "Action": "iot:Subscribe", "Resource": [ "arn:partition
:iot:region
:accountID
:topicfilter/$aws/things/${iot:Connection.Thing.ThingName}/streams/*" ] } ] }
Connect your devices to Amazon IoT
Devices that use Amazon IoT MQTT-based file delivery are required to connect with Amazon IoT. Amazon IoT MQTT-based file delivery integrates with Amazon IoT in the Amazon Cloud, so your devices should directly connect to the endpoint of the Amazon IoT Data Plane.
Note
The endpoint of the Amazon IoT data plane is specific to the Amazon Web Services account and Region. You must use the endpoint for the Amazon Web Services account and the Region in which your devices are registered in Amazon IoT.
See Connecting to Amazon IoT Core for more information.
TagResource Usage
The CreateStream
API action creates a stream for delivering one or
more large files in chunks over MQTT.
A successful CreateStream
API call requires the following
permissions:
-
iot:CreateStream
-
iot:TagResource
(ifCreateStream
is with tags)
The policy supporting those two permissions is shown below:
{ "Version": "2012-10-17", "Statement": { "Action": [ "iot:CreateStream", "iot:TagResource" ], "Effect": "Allow", "Resource": "arn:partition:iot:region:accountID:stream/streamId", } }
The iot:TagResource
policy statement action is required to ensure a
user can't create or update a tag on a resource without the proper permissions.
Without the specifc policy statement action of iot:TagResource
, the
CreateStream
API call will return an
AccessDeniedException
if the request comes with tags.
For more information, refer to the following links: