I want to generate a new SAS token for accessing an Azure IoT Hub using Paho MQTT with Java. I want to retrieve MQTT messages from a backend Java service.
Of course I want to limit the access for each service instance to certain devices.
This is the command I use to generate the token.
az iot hub generate-sas-token -d device1 -n iothubname --policy device
This is the error message I get
{u'ExceptionMessage': u'Tracking ID<HIDDEN`enter code here`>:TimeStamp:01/01/2019 14:30:33', u'Message': u'ErrorCode:IotHubUnauthorizedAccess;Unauthorized'}
Before I tried that, I tried to use the policy "service" (because that token should be used by the backend service) which didn't work either:
az iot hub generate-sas-token -d device1 -n iothubname --policy service
{u'ExceptionMessage': u'Tracking ID:<>TimeStamp:01/01/2019 14:37:39', u'Message': u'ErrorCode:IotHubUnauthorizedAccess;Unauthorized'}
The only thing that works is az iot hub generate-sas-token -n iothubname but regarding the documentation this creates a token with the iothubowner policy which I don't want to give my backend service.
I can't really understand the concept of permissions on the Azure IoT Hub even after reading the docs 3 times: https://docs.microsoft.com/en-us/azure/iot-hub/iot-hub-devguide-security#iot-hub-permissions
When would I use the service policy and when would I use the device policy?
Thanks!
az iot hub generate-sas-token -n iothubnamewouldn't have worked I think. – Christian