aws-iot: How to attach an IoT Policy to a Thing Group

[lautip]

Describe the feature

IoT Core allows to attach an IoT Policy to a Thing Group, but 'CfnPolicyPrincipalAttachment' fails at deploy time if we the pass principal as CfnThingGroup..attrArn.
The error message is:
12:12:40 PM | CREATE_FAILED | AWS::IoT::PolicyPrincipalAttachment | quarPolicyAttachment
The given ARN does not represent a cert (Service: AWSIot; Status Code: 400; Error Code: InvalidRequestException; Request ID: 8018ecbf-38ff-4493-93c8-6e3a183abb0b; Proxy: null)****

Use Case

User wants to attach an IoT Policy to a Thing Group.
One common case is to create a Quarantine group used to isolate Things with unexpected behaviour.

Proposed Solution

CfnPolicyPrincipalAttachment to accept a Thing Group ARN for a Static Group.

Other Information

No response

Acknowledgements

• I may be able to implement this feature request
• This feature might incur a breaking change

CDK version used

aws-cdk@2.85.0

Environment details (OS name and version, etc.)

Clou9 on Linux

[pahud]

Thanks for the report.

IoT Core allows to attach an IoT Policy to a Thing Group

Do you have any document link about this?

And, can you share your CDK code that returns the error? It sounds like a limit from cloudformation so we need to make sure it does support.

[lautip]

Doc:
look for "Attach or detach a policy to or from a group." in https://docs.aws.amazon.com/iot/latest/developerguide/thing-groups.html

[lautip]

My code:

// Create thing groups
const publishersThingGroup = new aws_iot.CfnThingGroup(this, "publishersThingGroup", {
thingGroupName: 'cognienPublishers',
thingGroupProperties: { thingGroupDescription: 'Members of this group will be allowed to publish on specific topics' },
});

// Create IoT Policy
const publishersPolicyDoc = {
Version: "2012-10-17",
Statement: [{
Effect: "Allow",
Action: [
"iot:Publish"
],
Resource: [ "*" ]
}
]
};

const publishersPolicy = new aws_iot.CfnPolicy(this, 'publishersPolicy', {
policyName: "cognienPublishersPolicy",
policyDocument: publishersPolicyDoc,
});

//Attach policy to Group
const pubPolicyAttachment = new aws_iot.CfnPolicyPrincipalAttachment(this, "pubPolicyAttachment", {
policyName: publishersPolicy.policyName || "",
principal: publishersThingGroup.attrArn,
});

pubPolicyAttachment is throwing the error at deploy time.

[yamatatsu]

As far as I know, unfortunately CloudFormation AWS::IoT::ThingPrincipalAttachment cannot attach to a ThingGroup. So we need to use CLI or web console.

[raziza]

Added a new feature request for it: here

[khushail]

Hi @raziza , I have marked this appropriately to be taken up by the cloudfomation team. Please feel free to reach out to Cloudformation team for inclusion of this issue by following the guidelines mentioned in their coverage roadmap.

[tim-finnigan]

Linking related issue: #18872

[PITPL-Chetan-Porwal]

        AttachPolicyRequest attachPolicyRequest = new AttachPolicyRequest()
                .withPolicyName(policyName)
                .withTarget(createThingResult.getThingName());
        awsIot.attachPolicy(attachPolicyRequest);

After using the above code facing the below all permission are enabled and checked its perfectly without SDK policy will attach.
com.amazonaws.services.iot.model.InvalidRequestException: Invalid Target (Service: AWSIot; Status Code: 400; Error Code: InvalidRequestException; Request ID: cd9b955e-0b17-4cf1-b493-4f696e1367dd; Proxy: null)

[mateuszboryn]

When can I expect it to be implemented in CF and CDK?