0
votes

I want to generate a new SAS token for accessing an Azure IoT Hub using Paho MQTT with Java. I want to retrieve MQTT messages from a backend Java service.

Of course I want to limit the access for each service instance to certain devices.

This is the command I use to generate the token.

az iot hub generate-sas-token -d device1 -n iothubname --policy device

This is the error message I get

{u'ExceptionMessage': u'Tracking ID<HIDDEN`enter code here`>:TimeStamp:01/01/2019 14:30:33', u'Message': u'ErrorCode:IotHubUnauthorizedAccess;Unauthorized'}

Before I tried that, I tried to use the policy "service" (because that token should be used by the backend service) which didn't work either:

az iot hub generate-sas-token -d device1 -n iothubname --policy service

{u'ExceptionMessage': u'Tracking ID:<>TimeStamp:01/01/2019 14:37:39', u'Message': u'ErrorCode:IotHubUnauthorizedAccess;Unauthorized'}

The only thing that works is az iot hub generate-sas-token -n iothubname but regarding the documentation this creates a token with the iothubowner policy which I don't want to give my backend service.

I can't really understand the concept of permissions on the Azure IoT Hub even after reading the docs 3 times: https://docs.microsoft.com/en-us/azure/iot-hub/iot-hub-devguide-security#iot-hub-permissions

When would I use the service policy and when would I use the device policy?

Thanks!

1
Can you please let me know if you have used az login to first login to Azure? Please check this link for details docs.microsoft.com/en-us/cli/azure/…Tiklu Ganguly
yes I have used that, otherwise the command az iot hub generate-sas-token -n iothubname wouldn't have worked I think.Christian

1 Answers

1
votes

Try

az iot hub generate-sas-token -n [IoTHub Name] --policy registryRead --key-type secondary

you can see the details of the same in the example in the following link

https://docs.microsoft.com/en-us/cli/azure/ext/azure-cli-iot-ext/iot/hub?view=azure-cli-latest#ext-azure-cli-iot-ext-az-iot-hub-generate-sas-token