TestAuthorization - Amazon IoT
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

TestAuthorization

Tests if a specified principal is authorized to perform an Amazon IoT action on a specified resource. Use this to test and debug the authorization behavior of devices that connect to the Amazon IoT device gateway.

Requires permission to access the TestAuthorization action.

Request Syntax

POST /test-authorization?clientId=clientId HTTP/1.1 Content-type: application/json { "authInfos": [ { "actionType": "string", "resources": [ "string" ] } ], "cognitoIdentityPoolId": "string", "policyNamesToAdd": [ "string" ], "policyNamesToSkip": [ "string" ], "principal": "string" }

URI Request Parameters

The request uses the following URI parameters.

clientId

The MQTT client ID.

Request Body

The request accepts the following data in JSON format.

authInfos

A list of authorization info objects. Simulating authorization will create a response for each authInfo object in the list.

Type: Array of AuthInfo objects

Array Members: Minimum number of 1 item. Maximum number of 10 items.

Required: Yes

cognitoIdentityPoolId

The Cognito identity pool ID.

Type: String

Required: No

policyNamesToAdd

When testing custom authorization, the policies specified here are treated as if they are attached to the principal being authorized.

Type: Array of strings

Length Constraints: Minimum length of 1. Maximum length of 128.

Pattern: [\w+=,.@-]+

Required: No

policyNamesToSkip

When testing custom authorization, the policies specified here are treated as if they are not attached to the principal being authorized.

Type: Array of strings

Length Constraints: Minimum length of 1. Maximum length of 128.

Pattern: [\w+=,.@-]+

Required: No

principal

The principal. Valid principals are CertificateArn (arn:aws:iot:region:accountId:cert/certificateId), thingGroupArn (arn:aws:iot:region:accountId:thinggroup/groupName) and CognitoId (region:id).

Type: String

Required: No

Response Syntax

HTTP/1.1 200 Content-type: application/json { "authResults": [ { "allowed": { "policies": [ { "policyArn": "string", "policyName": "string" } ] }, "authDecision": "string", "authInfo": { "actionType": "string", "resources": [ "string" ] }, "denied": { "explicitDeny": { "policies": [ { "policyArn": "string", "policyName": "string" } ] }, "implicitDeny": { "policies": [ { "policyArn": "string", "policyName": "string" } ] } }, "missingContextValues": [ "string" ] } ] }

Response Elements

If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

authResults

The authentication results.

Type: Array of AuthResult objects

Errors

InternalFailureException

An unexpected error has occurred.

HTTP Status Code: 500

InvalidRequestException

The request is not valid.

HTTP Status Code: 400

LimitExceededException

A limit has been exceeded.

HTTP Status Code: 410

ResourceNotFoundException

The specified resource does not exist.

HTTP Status Code: 404

ServiceUnavailableException

The service is temporarily unavailable.

HTTP Status Code: 503

ThrottlingException

The rate exceeds the limit.

HTTP Status Code: 400

UnauthorizedException

You are not authorized to perform this operation.

HTTP Status Code: 401

See Also

For more information about using this API in one of the language-specific Amazon SDKs, see the following: