AWS IoT SDK - main L#206 Error subscribing : -28 (C code)

0
votes

I am trying to run the example in this tutorial from AWS IoT (AWS IoT Embedded C SDK).

My aws_iot_config.h file has the following configuration:

#define AWS_IOT_MQTT_HOST              "XXXXXXX.iot.us-east-2.amazonaws.com" ///< Customer specific MQTT HOST. The same will be used for Thing Shadow
#define AWS_IOT_MQTT_PORT              8883 ///< default port for MQTT/S
#define AWS_IOT_MQTT_CLIENT_ID         "c-sdk-client-id" ///< MQTT client ID should be unique for every device
#define AWS_IOT_MY_THING_NAME          "SM1" ///< Thing Name of the Shadow this device is associated with
#define AWS_IOT_ROOT_CA_FILENAME       "iotRootCA.pem" ///< Root CA file name
#define AWS_IOT_CERTIFICATE_FILENAME   "deviceCert.crt" ///< device signed certificate file name
#define AWS_IOT_PRIVATE_KEY_FILENAME   "deviceCert.key" ///< Device private key filename

This is how my policies are:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "iot:Connect",
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": "iot:Publish",
      "Resource": "arn:aws:iot:us-east-2:338639570104:topic/sm1"
    },
    {
      "Effect": "Allow",
      "Action": "iot:Subscribe",
      "Resource": "arn:aws:iot:us-east-2:338639570104:topic/sm1"
    }
  ]
}

When I run the subscribe_publish_sample example, I am getting the following error:

DEBUG: iot_tls_connect L#236 ok
[ Protocol is TLSv1.2 ]
[ Ciphersuite is TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384 ]

DEBUG: iot_tls_connect L#238 [ Record expansion is 29 ]

DEBUG: iot_tls_connect L#243 . Verifying peer X.509 certificate...
DEBUG: iot_tls_connect L#252 ok

DEBUG: iot_tls_connect L#262 . Peer certificate information ...

DEBUG: iot_tls_connect L#264 cert. version : 3
serial number : 3C:75:FE:30:01:DD:A3:B9:EF:72:DC:F6:7A:5C:A2:54
issuer name : C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 ECC 256 bit SSL CA - G2 subject name : C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=*.iot.us-east-2.amazonaws.com
issued on : 2017-10-12 00:00:00
expires on : 2018-10-13 23:59:59
signed using : ECDSA with SHA256
EC key size : 256 bits
basic constraints : CA=false
subject alt name : iot.us-east-2.amazonaws.com, *.iot.us-east-2.amazonaws.com
key usage : Digital Signature
ext key usage : TLS Web Server Authentication, TLS Web Client Authentication

Subscribing...
ERROR: main L#206 Error subscribing : -28

Can anyone show me what is happening? Am I missing something?

2
aws-sdkiotpolicyaws-iotpolicies

2 Answers

0
votes

As I did not find out a good and complete tutorial related to process of sending data from a device to AWS IoT, including all the steps needed, I tried changing the policy I was using to:

{
  "Effect": "Allow",
  "Action": "iot:*",
  "Resource": "*"
}

Though this wildcard on Resource apparently is not so good, it was the way I used, since the other policies were not working.

0
votes

The AWS IoT core policy actions are at https://docs.aws.amazon.com/iot/latest/developerguide/iot-policy-actions.html

The sample client needs all four MQTT policies and needs iot:Publish, iot:Receive, and iot:Subscribe on the sdkTest topic. The topic name is hardcoded to sdkTest in the sample. So this works:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "iot:Connect",
      "Resource": "arn:aws:iot:us-east-2:338639570104:client/c-sdk-client-id"
    },
    {
      "Effect": "Allow",
      "Action": "iot:Publish",
      "Resource": "arn:aws:iot:us-east-2:338639570104:client/c-sdk-client-id"
    },
    {
      "Effect": "Allow",
      "Action": "iot:Receive",
      "Resource": "arn:aws:iot:us-east-2:338639570104:client/c-sdk-client-id"
    },
    {
      "Effect": "Allow",
      "Action": "iot:Subscribe",
      "Resource": "arn:aws:iot:us-east-2:338639570104:client/c-sdk-client-id"
    },
    {
      "Effect": "Allow",
      "Action": "iot:Publish",
      "Resource": "arn:aws:iot:us-east-2:338639570104:*sdkTest*"
    },
    {
      "Effect": "Allow",
      "Action": "iot:Receive",
      "Resource": "arn:aws:iot:us-east-2:338639570104:*sdkTest*"
    },
    {
      "Effect": "Allow",
      "Action": "iot:Subscribe",
      "Resource": "arn:aws:iot:us-east-2:338639570104:*sdkTest*"
    }
  ]
}