Add necessary IAM role for network analyzer
When you use network analyzer, you must grant a user permission to use the API operations UpdateNetworkAnalyzerConfiguration and GetNetworkAnalyzerConfiguration to access network analyzer resources. The following shows the IAM policies that you use to grant permissions.
IAM policies for network analyzer
Use either of the following:
-
Full access wireless policy
Grant AWS IoT Core for LoRaWAN the full access policy by attaching the policy AWSIoTWirelessFullAccess to your role. For more information, see
AWSIoTWirelessFullAccess
policy summary. -
Scoped IAM policy for Get and Update API
Create the following IAM policy by going to the Create policy
page of the IAM console, and on the Visual editor tab: -
Choose IoTWireless for Service.
-
Under Access level, expand Read and choose GetNetworkAnalyzerConfiguration, and then expand Write and choose UpdateNetworkAnalyzerConfiguration.
-
Choose Next:Tags, and enter a Name for the policy, such as IoTWirelessNetworkAnalyzerPolicy. Choose Create policy.
The following shows the policy IoTWirelessNetworkAnalyzerPolicy that you created. For more information about creating a policy, see Create IAM policies.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "iotwireless:GetNetworkAnalyzerConfiguration", "iotwireless:UpdateNetworkAnalyzerConfiguration" ], "Resource": "*" } ] }
-
Scoped policy to access specific resources
To configure more fine-grained access control, you must add the wireless
gateways and devices to the Resource field. The following
policy uses the wildcard ARN to grant access to all gateways and devices. You
can control access to specific gateways and devices by using the
WirelessGatewayId
and WirelessDeviceId
.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "iotwireless:GetNetworkAnalyzerConfiguration", "iotwireless:UpdateNetworkAnalyzerConfiguration" ], "Resource": [ "arn:aws:iotwireless:*:
{accountId}
:WirelessDevice/*", "arn:aws:iotwireless:*:{accountId}
:WirelessGateway/*", "arn:aws:iotwireless:*:{accountId}
:NetworkAnalyzerConfiguration/*" ] } ] }
To grant a user permission to use network analyzer but not to use any wireless gateways or devices, use the following policy. Unless specified, permissions to use the resources are implicitly denied.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "iotwireless:GetNetworkAnalyzerConfiguration", "iotwireless:UpdateNetworkAnalyzerConfiguration" ], "Resource": [ "arn:aws:iotwireless:*:
{accountId}
:NetworkAnalyzerConfiguration/*" ] } ] }
Next steps
Now that you've created the policy, you can add resources to your network analyzer configuration and receive trace messaging information for those resources. For more information, see Create network analyzer configuration and add resources.