# Troubleshooting AWS IoT
**Help us improve this topic**
[Let us know what would help make it better](https://docs.aws.amazon.com//forms/aws-doc-feedback?hidden_service_name=IoT%20Docs&topic_url=http://docs.aws.amazon.com/en_us/iot/latest/developerguide/iot_troubleshooting.html)
The following information might help you troubleshoot common issues in AWS IoT.
**Topics**
+ [AWS IoT Core troubleshooting guide](iot-core-troubleshooting.md)
+ [AWS IoT Device Management troubleshooting guide](device-management-troubleshooting.md)
+ [AWS IoT Device Advisor troubleshooting guide](device-advisor-troubleshooting.md)
+ [AWS IoT errors](iot-errors.md)
# AWS IoT Core troubleshooting guide
**Help us improve this topic**
[Let us know what would help make it better](https://docs.aws.amazon.com//forms/aws-doc-feedback?hidden_service_name=IoT%20Docs&topic_url=http://docs.aws.amazon.com/en_us/iot/latest/developerguide/iot-core-troubleshoot.html)
This is the troubleshooting section for AWS IoT Core.
**Topics**
+ [Diagnosing connectivity issues](diagnosing-connectivity-issues.md)
+ [Diagnosing rules issues](diagnosing-rules.md)
+ [Diagnosing problems with shadows](diagnosing-shadows.md)
+ [Diagnosing Salesforce IoT input stream action issues](diagnosing-salesforce.md)
+ [Diagnosing Stream Limits](diagnosing-stream-limits.md)
+ [Troubleshooting device fleet disconnects](ota-troubleshooting-fleet-disconnects.md)
# Diagnosing connectivity issues
**Help us improve this topic**
[Let us know what would help make it better](https://docs.aws.amazon.com//forms/aws-doc-feedback?hidden_service_name=IoT%20Docs&topic_url=http://docs.aws.amazon.com/en_us/iot/latest/diagnosing-connectivity-issues.html)
A successful connection to AWS IoT requires:
+ A valid connection
+ A valid and active certificate
+ A policy that allows the desired connection and operation
## Connection
How do I find the correct endpoint?
+ The `endpointAddress` returned by `aws iot [describe-endpoint](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iot/describe-endpoint.html) --endpoint-type iot:Data-ATS`
or
+ The `domainName` returned by `aws iot [describe-domain-configuration](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iot/describe-domain-configuration.html) –-domain-configuration-name "domain_configuration_name"`
How do I find the correct Server Name Indication (SNI) value?
The correct SNI value is the `endpointAddress` returned by the **[describe-endpoint](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iot/describe-endpoint.html)** or the `domainName` returned by the **[describe-domain-configuration](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iot/describe-domain-configuration.html)** commands. It's the same address as the endpoint in the previous step. When connecting devices to AWS IoT Core, clients can send the [Server Name Indication (SNI) extension](https://tools.ietf.org/html/rfc3546#section-3.1), which is not required but highly recommended. To use features such as [multi-account registration](https://docs.aws.amazon.com//iot/latest/developerguide/x509-client-certs.html#multiple-account-cert), [custom domains](https://docs.aws.amazon.com//iot/latest/developerguide/iot-custom-endpoints-configurable-custom.html), and [VPC endpoints](https://docs.aws.amazon.com//iot/latest/developerguide/IoTCore-VPC.html), you must use the SNI extension. For more information, see [Transport Security in AWS IoT](transport-security.html).
How do I solve a connectivity issue that persists?
You can use AWS Device Advisor to help troubleshoot. Device Advisor's pre-built tests help you validate your device software against best practices for usage of [TLS](https://docs.aws.amazon.com/iot/latest/developerguide/protocols.html), [MQTT](https://docs.aws.amazon.com/iot/latest/developerguide/protocols.html), [AWS IoT Device Shadow](https://docs.aws.amazon.com/iot/latest/developerguide/iot-device-shadows.html), and [AWS IoT Jobs](https://docs.aws.amazon.com/iot/latest/developerguide/iot-jobs.html).
Here is a link to the existing [Device Advisor](https://docs.aws.amazon.com/iot/latest/developerguide/device-advisor.html) content.
## Authentication
Devices must be [authenticated](client-authentication.md) to connect to AWS IoT endpoints. For devices that use [X.509 client certificates](x509-client-certs.md) for authentication, the certificates must be registered with AWS IoT and be active.
How do my devices authenticate AWS IoT endpoints?
Add the AWS IoT CA certificate to your client's trust store. Refer to the documentation on [Server Authentication in AWS IoT Core](x509-client-certs.html#server-authentication) and then follow the links to download the appropriate CA certificate.
What is checked when a device connects to AWS IoT?
When a device attempts to connect to AWS IoT:
1. AWS IoT checks for a valid certificate and Server Name Indication (SNI) value.
1. AWS IoT checks to see that the certificate used is registered with the AWS IoT Account and that it has been activated.
1. When a device attempts to perform any action in AWS IoT, such as to subscribe to or publish a message, the policy attached to the certificate it used to connect is checked to confirm that the device is authorized to perform that action.
How can I validate a correctly configured certificate?
Use the OpenSSL `s_client` command to test a connection to the AWS IoT endpoint:
```
openssl s_client -connect custom_endpoint.iot.aws-region.amazonaws.com:8443 -CAfile CA.pem -cert cert.pem -key privateKey.pem
```
For more information about using `openssl s_client`, see [OpenSSL s\$1client documentation](https://www.openssl.org/docs/man1.0.2/man1/openssl-s_client.html).
How do I check the status of a certificate?
+
**List the certificates**
If you don't know the certificate ID, you can see the status of all your certificates by using the `aws iot [list-certificates](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iot/list-certificates.html)` command.
+
**Show a certificate's details**
If you know the certificate's ID, this command shows you more detailed information about the certificate.
```
aws iot [describe-certificate](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iot/describe-certificate.html) --certificate-id "certificateId"
```
+
**Review the certificate in the AWS IoT Console**
In the [AWS IoT console](https://console.aws.amazon.com/iot/home), in the left menu, choose **Secure**, and then choose **Certificates**.
Choose the certificate that you are using to connect from the list to open its detail page.
In the certificate's detail page, you can see its current status.
The certificate's status can be changed by using the **Actions** menu in the upper-right corner of the details page.
## Authorization
AWS IoT resources use [AWS IoT Core policies](iot-policies.md) to authorize those resources to perform [actions](iot-policy-actions.md). For an action to be authorized, the specified AWS IoT resources must have a policy document attached to it that grants permission to perform that action.
I received a `PUBNACK` or `SUBNACK` response from the broker. What do I do?
Make sure that there is a policy attached to the certificate you are using to call AWS IoT. All publish/subscribe operations are denied by default.
Make sure the attached policy authorizes the [actions](iot-policy-actions.md) you are trying to perform.
Make sure the attached policy authorizes the [resources](iot-action-resources.md) that are trying to perform the authorized actions.
I have an *AUTHORIZATION\$1FAILURE* entry in my logs.
Make sure that there is a policy attached to the certificate you are using to call AWS IoT. All publish/subscribe operations are denied by default.
Make sure the attached policy authorizes the [actions](iot-policy-actions.md) you are trying to perform.
Make sure the attached policy authorizes the [resources](iot-action-resources.md) that are trying to perform the authorized actions.
How do I check what the policy authorizes?
In the [AWS IoT console](https://console.aws.amazon.com/iot/home), in the left menu, choose **Security**, and then choose **Certificates**.
Choose the certificate that you are using to connect from the list to open its detail page.
In the certificate's detail page, you can see its current status.
In the left menu of the certificate's detail page, choose **Policies** to see the policies attached to the certificate.
Choose the desired policy to see its details page.
In the policy's details page, review the policy's **Policy document** to see what it authorizes.
Choose **Edit policy document** to make changes to the policy document.
## Security and identity
When you provide the server certificates for AWS IoT custom domain configuration, the certificates have a maximum of four domain names.
For more information, see [AWS IoT Core endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/iot-core.html#security-limits).
# Diagnosing rules issues
**Help us improve this topic**
[Let us know what would help make it better](https://docs.aws.amazon.com//forms/aws-doc-feedback?hidden_service_name=IoT%20Docs&topic_url=http://docs.aws.amazon.com/en_us/iot/latest/developerguide/diagnosing-rules.html)
This section describes some of the things to check when you encounter a problem with rule.
## Configuring CloudWatch Logs for troubleshooting
The best way to debug issues you are having with rules is to use CloudWatch Logs. When you enable CloudWatch Logs for AWS IoT, you can see which rules are triggered and their success or failure. You also get information about whether WHERE clause conditions match. For more information, see [Monitor AWS IoT using CloudWatch Logs](cloud-watch-logs.md).
The most common rules issue is authorization. The logs show if your role is not authorized to perform AssumeRole on the resource. Here is an example log generated by [fine-grained logging](configure-logging.md#fine-logging-cli):
```
{
"timestamp": "2017-12-09 22:49:17.954",
"logLevel": "ERROR",
"traceId": "ff563525-6469-506a-e141-78d40375fc4e",
"accountId": "123456789012",
"status": "Failure",
"eventType": "RuleExecution",
"clientId": "iotconsole-123456789012-3",
"topicName": "test-topic",
"ruleName": "rule1",
"ruleAction": "DynamoAction",
"resources": {
"ItemHashKeyField": "id",
"Table": "trashbin",
"Operation": "Insert",
"ItemHashKeyValue": "id",
"IsPayloadJSON": "true"
},
"principalId": "ABCDEFG1234567ABCD890:outis",
"details": "User: arn:aws:sts::123456789012:assumed-role/dynamo-testbin/5aUMInJH is not authorized to perform: dynamodb:PutItem on resource: arn:aws:dynamodb:us-east-1:123456789012:table/testbin (Service: AmazonDynamoDBv2; Status Code: 400; Error Code: AccessDeniedException; Request ID: AKQJ987654321AKQJ123456789AKQJ987654321AKQJ987654321)"
}
```
Here is a similar example log generated by [global logging](configure-logging.md#global-logging-cli):
```
2017-12-09 22:49:17.954 TRACEID:ff562535-6964-506a-e141-78d40375fc4e
PRINCIPALID:ABCDEFG1234567ABCD890:outis [ERROR] EVENT:DynamoActionFailure
TOPICNAME:test-topic CLIENTID:iotconsole-123456789012-3
MESSAGE:Dynamo Insert record failed. The error received was User: arn:aws:sts::123456789012:assumed-role/dynamo-testbin/5aUMInJI is not authorized to perform: dynamodb:PutItem on resource: arn:aws:dynamodb:us-east-1:123456789012:table/testbin
(Service: AmazonDynamoDBv2; Status Code: 400; Error Code: AccessDeniedException; Request ID: AKQJ987654321AKQJ987654321AKQJ987654321AKQJ987654321).
Message arrived on: test-topic, Action: dynamo, Table: trashbin, HashKeyField: id, HashKeyValue: id, RangeKeyField: None, RangeKeyValue: 123456789012
No newer events found at the moment. Retry.
```
For more information, see [Viewing AWS IoT logs in the CloudWatch console](cloud-watch-logs.md#viewing-logs).
## Diagnosing external services
External services are controlled by the end user. Before rule execution, make sure that the external services you have linked to your rule are set up and have enough throughput and capacity units for your application.
## Diagnosing SQL problems
**If your SQL query is not returning the data you expect:**
+ **Review the logs for error messages.**
+
**Confirm that your SQL syntax matches the JSON document in the message.**
Review the object and property names used in the query with those used in the JSON document of the topic's message payload. For more information about the JSON formatting in SQL queries, see [JSON extensions](iot-sql-json.md).
+
**Check to see if the JSON object or property names include reserved or numeric characters.**
For more information about reserved characters in JSON object references in SQL queries, see [JSON extensions](iot-sql-json.md).
# Diagnosing problems with shadows
**Help us improve this topic**
[Let us know what would help make it better](https://docs.aws.amazon.com//forms/aws-doc-feedback?hidden_service_name=IoT%20Docs&topic_url=http://docs.aws.amazon.com/en_us/iot/latest/developerguide/diagnosing-shadows.html)
**Diagnosing shadows**
| Issue | Troubleshooting guidelines |
| --- | --- |
| A device's shadow document is rejected with Invalid JSON document. | If you are unfamiliar with JSON, modify the examples provided in this guide for your own use. For more information, see [Shadow document examples](device-shadow-document.md#device-shadow-document-syntax). |
| I submitted correct JSON, but none or only parts of it are stored in the device's shadow document. | Be sure you are following the JSON formatting guidelines. Only JSON fields in the desired and reported sections are stored. JSON content (even if formally correct) outside of those sections is ignored. |
| I received an error that the device's shadow exceeds the allowed size. | The device's shadow supports 8 KB of data only. Try shortening field names inside of your JSON document or simply create more shadows by creating more things. A device can have an unlimited number of things/shadows associated with it. The only requirement is that each thing name must be unique in your account. |
| When I receive a device's shadow, it is larger than 8 KB. How can this happen? | Upon receipt, the AWS IoT service adds metadata to the device's shadow. The service includes this data in its response, but it does not count toward the limit of 8 KB. Only the data for desired and reported state inside the state document sent to the device's shadow counts toward the limit. |
| My request has been rejected due to incorrect version. What should I do? | Perform a GET operation to sync to the latest state document version. When using MQTT, subscribe to the ./update/accepted topic to be notified about state changes and receive the latest version of the JSON document. |
| The timestamp is off by several seconds. | The timestamp for individual fields and the whole JSON document is updated when the document is received by the AWS IoT service or when the state document is published onto the ./update/accepted and ./update/delta message. Messages can be delayed over the network, which can cause the timestamp to be off by a few seconds. |
| My device can publish and subscribe on the corresponding shadow topics, but when I attempt to update the shadow document over the HTTP REST API, I get HTTP 403. | Be sure you have created policies in IAM to allow access to these topics and for the corresponding action (UPDATE/GET/DELETE) for the credentials you are using. IAM policies and certificate policies are independent. |
| Other issues. | The Device Shadow service logs errors to CloudWatch Logs. To identify device and configuration issues, enable CloudWatch Logs and view the logs for debug information. |
# Diagnosing Salesforce IoT input stream action issues
**Help us improve this topic**
[Let us know what would help make it better](https://docs.aws.amazon.com//forms/aws-doc-feedback?hidden_service_name=IoT%20Docs&topic_url=http://docs.aws.amazon.com/en_us/iot/latest/developerguide/diagnosing-salesforce.html)
## Execution trace
How do I see the execution trace of a Salesforce action?
See the [Monitor AWS IoT using CloudWatch Logs](cloud-watch-logs.md) section. After you have activated the logs, you can see the execution trace of the Salesforce action.
## Action success and failure
How do I check that messages have been sent successfully to a Salesforce IoT input stream?
View the logs generated by execution of the Salesforce action in CloudWatch Logs. If you see `Action executed successfully`, then it means that the AWS IoT rules engine received confirmation from the Salesforce IoT that the message was successfully pushed to the targeted input stream.
If you are experiencing problems with the Salesforce IoT platform, contact Salesforce IoT support.
What do I do if messages have not been sent successfully to a Salesforce IoT input stream?
View the logs generated by execution of the Salesforce action in CloudWatch Logs. Depending on the log entry, you can try the following actions:
`Failed to locate the host`
Check that the `url` parameter of the action is correct and that your Salesforce IoT input stream exists.
`Received Internal Server Error from Salesforce`
Retry. If the problem persists, contact Salesforce IoT Support.
`Received Bad Request Exception from Salesforce`
Check the payload you are sending for errors.
`Received Unsupported Media Type Exception from Salesforce`
Salesforce IoT does not support a binary payload at this time. Check that you are sending a JSON payload.
`Received Unauthorized Exception from Salesforce`
Check that the `token` parameter of the action is correct and that your token is still valid.
`Received Not Found Exception from Salesforce`
Check that the `url` parameter of the action is correct and that your Salesforce IoT input stream exists.
If you receive an error that is not listed here, contact AWS IoT Support.
# Diagnosing Stream Limits
**Troubleshooting "Stream limit exceeded for your AWS account"**
If you see `"Error: You have exceeded the limit for the number of streams in your AWS account."`, you can clean up the unused streams in your account instead of requesting a limit increase.
To clean up an unused stream that you created using the AWS CLI or SDK:
```
aws iot delete-stream –stream-id value
```
For more details, see [delete-stream](https://docs.aws.amazon.com/cli/latest/reference/iot/delete-stream.html).
**Note**
You can use the `list-streams` command to find the stream IDs.
# Troubleshooting device fleet disconnects
**Help us improve this topic**
[Let us know what would help make it better](https://docs.aws.amazon.com//forms/aws-doc-feedback?hidden_service_name=IoT%20Docs&topic_url=http://docs.aws.amazon.com/en_us/iot/latest/developerguide/ota-troubleshooting-fleet-disconnects.html)
AWS IoT device fleet disconnects can happen for multiple reasons. This article explains how to diagnose a disconnect reason and how to handle disconnects caused by regular maintenance of AWS IoT service or a throttling limit.
**To diagnose the disconnect reason**
You can check the [AWSIotLogsV2](https://docs.aws.amazon.com/iot/latest/developerguide/cloud-watch-logs.html) log group in [CloudWatch](https://docs.aws.amazon.com//iot/latest/developerguide/cwl-format.html) to identify the disconnect reason in the `disconnectReason` field of the log entry.
You can also use AWS IoT's [lifecycle events](https://docs.aws.amazon.com//iot/latest/developerguide/life-cycle-events.html) feature to identify the disconnect reason. If you’ve subscribed to [lifecycle's disconnect event](https://docs.aws.amazon.com//iot/latest/developerguide/life-cycle-events.html#connect-disconnect) (`$aws/events/presence/disconnected/clientId`), you’ll get a notification from AWS IoT when the disconnect happens. You can identify the disconnect reason in the `disconnectReason` field of the notification.
For more information, see [CloudWatch AWS IoT log entries](https://docs.aws.amazon.com//iot/latest/developerguide/cwl-format.html) and [Lifecycle events](https://docs.aws.amazon.com//iot/latest/developerguide/life-cycle-events.html).
**To troubleshoot disconnects due to AWS IoT service maintenance**
Disconnects caused by AWS IoT's service maintenance are logged as `SERVER_INITIATED_DISCONNECT` in AWS IoT's lifecycle event and CloudWatch. To handle these disconnects, adjust your client-side setup to make sure your devices can be automatically reconnected to the AWS IoT platform.
**To troubleshoot disconnects due to a throttling limit**
Disconnects caused by a throttling limit are logged as `THROTTLED` in AWS IoT's lifecycle event and CloudWatch. To handle these disconnects, you can request [message broker limit increases](https://docs.aws.amazon.com//general/latest/gr/iot-core.html#message-broker-limits) as the device count grows.
For more information, see [AWS IoT Core Message Broker](https://docs.aws.amazon.com//general/latest/gr/iot-core.html#message-broker-limits).
# AWS IoT Device Management troubleshooting guide
**Help us improve this topic**
[Let us know what would help make it better](https://docs.aws.amazon.com//forms/aws-doc-feedback?hidden_service_name=IoT%20Docs&topic_url=http://docs.aws.amazon.com/en_us/iot/latest/developerguide/device-management-troubleshoot.html)
This is the troubleshooting section for AWS IoT Device Management.
**Topics**
+ [AWS IoT Jobs Troubleshooting](jobs-troubleshooting.md)
+ [Fleet Indexing Troubleshooting](fleet-indexing-troubleshooting.md)
+ [AWS IoT Device Management Software Package Catalog Troubleshooting](software-package-catalog-troubleshooting.md)
# AWS IoT Jobs Troubleshooting
This is the troubleshooting section for AWS IoT Jobs.
## How do I locate an AWS IoT Jobs endpoint?
**How do I locate the AWS IoT Jobs control plane endpoint?**
AWS IoT Jobs supports controls plane API operations using the HTTPS protocol. Verify you have connected to the correct control plane endpoint using the HTTPS protocol.
For a list of AWS region-specific endpoints, see [AWS IoT Core - control plane endpoints](https://docs.aws.amazon.com/general/latest/gr/iot-core.html#iot-core-control-plane-endpoints).
For a list of FIPS compliant **AWS IoT Jobs control plane** endpoints, see [FIPS Endpoints by Service](https://aws.amazon.com//compliance/fips/#FIPS_Endpoints_by_Service)
AWS IoT Jobs and AWS IoT Core share the same AWS Region-specific endpoints.
**How do I locate the AWS IoT Jobs data plane endpoint?**
AWS IoT Jobs supports data plane API operations using the HTTPS and MQTT protocols. Verify you have connected to the correct data plane endpoint using the HTTPS or MQTT protocol.
+ HTTPS protocol
+ Use the following [https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iot/describe-endpoint.html](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iot/describe-endpoint.html) CLI command shown below or the [https://docs.aws.amazon.com/iot/latest/apireference/API_DescribeEndpoint.html](https://docs.aws.amazon.com/iot/latest/apireference/API_DescribeEndpoint.html) REST API. For the endpoint type, use `iot:Jobs`.
```
aws iot describe-endpoint --endpoint-type iot:Jobs
```
+ MQTT protocol
+ Use the following [https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iot/describe-endpoint.html](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iot/describe-endpoint.html) CLI command shown below or the [https://docs.aws.amazon.com/iot/latest/apireference/API_DescribeEndpoint.html](https://docs.aws.amazon.com/iot/latest/apireference/API_DescribeEndpoint.html) REST API. For the endpoint type, use `iot:Data-ATS`.
```
aws iot describe-endpoint --endpoint-type iot:Data-ATS
```
For a list of FIPS compliant **AWS IoT Jobs data plane** endpoints, see [FIPS Endpoints by Service](https://aws.amazon.com//compliance/fips/#FIPS_Endpoints_by_Service)
## How do I monitor AWS IoT Jobs activity and provide metrics?
Monitoring AWS IoT Jobs activity using Amazon CloudWatch provides real-time visibility into ongoing AWS IoT Jobs operations and helps control costs with CloudWatch alarms via AWS IoT Rules. You must configure logging before you can monitor AWS IoT Jobs activity and setup CloudWatch alarms. For more information on setting up logging, see [Configure AWS IoT logging](configure-logging.md).
For more information on Amazon CloudWatch and how to setup permission via an IAM user role to use CloudWatch resources, see [Identity and access management for Amazon CloudWatch](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/auth-and-access-control-cw.html).
**How do I set up AWS IoT Jobs metrics and monitoring using Amazon CloudWatch?**
To set up AWS IoT logging, follow the steps outlined in [Configure AWS IoT logging](https://docs.aws.amazon.com/iot/latest/developerguide/configure-logging.html). AWS IoT logging set up can be done in the AWS Management Console, AWS CLI, or API. AWS IoT logging set up for specific thing groups must be done in the AWS CLI or API only.
The [AWS IoT Jobs metrics](https://docs.aws.amazon.com/iot/latest/developerguide/metrics_dimensions.html#jobs-metrics) section contains the AWS IoT Jobs metrics used for monitoring AWS IoT Jobs activity. It explains how to view the metrics in the AWS Management Console and AWS CLI.
Additionally, you can set up CloudWatch alarms to alert you of specific metrics you want to closely monitor. For guidance on alarm setup, see [Using Amazon CloudWatch alarms](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html).
## Device fleets and single device troubleshooting
**A job execution maintains a status of `QUEUED` indefinitely**
When a job execution with a status state of `QUEUED` does not proceed to the next logical status state such as `IN_PROGRESS`, `FAILED`, or `TIMED_OUT`, one of the following scenarios may be the cause:
+ Review your device activity in the CloudWatch logs located in the [CloudWatch console](https://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/WhatIsCloudWatchLogs.html). For more information, refer to [Monitor AWS IoT using CloudWatch Logs](https://docs.aws.amazon.com/iot/latest/developerguide/cloud-watch-logs.html).
+ The IAM role associated with the job and subsequent job execution may not have the correct permissions listed in one of the policy statements of the IAM policy attached to that IAM role. Use the [https://docs.aws.amazon.com/iot/latest/apireference/API_DescribeJob.html](https://docs.aws.amazon.com/iot/latest/apireference/API_DescribeJob.html) API to identify the IAM role linked to that job and subsequent job execution and review the IAM policy for correct permissions. Once the policy permission statements have been updated, you should be able to perform the [https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html) API command on the resource.
**A job execution was not created for my thing or thing group**
When a job updates its status state to `IN_PROGRESS`, it will begin the job document rollout to all devices in your target group. This status state update will create a job execution for each target device. If a job execution was not created for one of the target devices, refer to the following guidance:
+ Is the `thing` *directly* targeted by the job, the job has a status state of `IN_PROGRESS`, and the job is concurrent? If all three conditions are met, then the job is still sending out job executions to all devices in your target group and that specific `thing` has not received its job execution yet.
+ Review the devices in your target group for the job and the job status state in the AWS Management Console or use the [https://docs.aws.amazon.com/iot/latest/apireference/API_DescribeJob.html](https://docs.aws.amazon.com/iot/latest/apireference/API_DescribeJob.html) API command.
+ Use the [https://docs.aws.amazon.com/iot/latest/apireference/API_DescribeJob.html](https://docs.aws.amazon.com/iot/latest/apireference/API_DescribeJob.html) API command to review if the job has the `IsConcurrent` property set to true or false. For more information, see [Job limits](https://docs.aws.amazon.com/iot/latest/developerguide/job-limits.html).
+ The `thing` is *not directly* targeted by the job.
+ If the `Thing` was added to a `ThingGroup` and the job targeted the `ThingGroup`, then verify the `Thing` is part of the `ThingGroup`.
+ If the job is a snapshot job with a status state of `IN_PROGRESS` and is concurrent, then the job is still sending out job executions to all devices in your target group and that specific `Thing` has not received its job execution yet.
+ If the job is a continuous job with a status state of `IN_PROGRESS` and is concurrent, then the job is still sending out job executions to all devices in your target group and that specific `Thing` has not received its job execution yet. For continuous jobs only, you can also remove the `Thing` from the `ThingGroup` and then add the `Thing` back to the `ThingGroup`.
+ If the job is a snapshot job with a status state of `IN_PROGRESS` and is not concurrent, then it's likely the `Thing` or `ThingGroup` membership relationship is not acknowledged by AWS IoT Jobs. It is recommended to add several seconds of waiting time after your `AddThingToThingGroup` call before you create your `Job`. Alternatively, you can switch the target selection to `Continuous`, thus making the service backfill the delayed `Thing` and `ThingGroup` membership attachment event.
**New job fails due to `LimitedExceededException` error**
If your job creation fails with an error response of `LimitedExceededException`, then call the `list-jobs` API and review all jobs with `isConcurrent=true` to determine if you are at your job concurrency limit. See [Job limits](https://docs.aws.amazon.com/iot/latest/developerguide/job-limits.html) for additional information on concurrent jobs. To view your job concurrency limits and to request a limit increase, see [AWS IoT Device Management jobs limits and quotas](https://docs.aws.amazon.com/general/latest/gr/iot_device_management.html#job-limits).
**Job document size limit**
The job document size is limited by the MQTT payload size. If you need a job document larger than 32 kB (kilobytes), 32,000 B (bytes), then create and store the job document in Amazon S3 and add an Amazon S3 object URL in the `documentSource` field for the `CreateJob` API or using the AWS CLI. For the AWS Management Console, add an Amazon S3 object URL in the Amazon S3 URL text box when creating a job.
+ AWS Management Console create job documentation: [Create and manage jobs by using the AWS Management Console](https://docs.aws.amazon.com/iot/latest/developerguide/manage-job-console.html)
+ AWS CLI create job documentation: [Create and manage jobs using the AWS CLI](https://docs.aws.amazon.com/iot/latest/developerguide/manage-job-cli.html)
+ `CreateJob` API documentation: [CreateJob](https://docs.aws.amazon.com/iot/latest/apireference/API_CreateJob.html)
**Device Side MQTT message requests throttle limits**
If you receive an error code 400 `ThrottlingException`, the device side MQTT message failed due to reaching the limit of simultaneous device side requests. See [AWS IoT Device Management jobs limits and quotas](https://docs.aws.amazon.com/general/latest/gr/iot_device_management.html#job-limits) for more information on throttle limits and if it is adjustable.
**Connection timeout error**
An error code 400 `RequestExpired` indicates a connection failure due to high latency or low client side timeout values.
+ See [Testing connectivity with your device data endpoint](https://docs.aws.amazon.com/iot/latest/developerguide/iot-quick-start-test-connection.html) for information on testing connection between the client side and server side.
**Invalid API command**
Confirm the correct API command is entered to avoid an error message stating the API command is invalid. See the [AWS IoT API Reference](https://docs.aws.amazon.com/iot/latest/apireference/Welcome.html) for a comprehensive list of all AWS IoT API commands.
**Service side connection error**
An error code 503 `ServiceUnavailable` indicates the error originated from the server side.
+ See [AWS Health Dashboard (all AWS services)](https://health.aws.amazon.com/health/status) for the current status of all AWS services.
+ See [AWS Health Dashboard (personal AWS account)](https://aws.amazon.com/premiumsupport/technology/aws-health-dashboard/) for the current status of your personal AWS account.
# Fleet Indexing Troubleshooting
## Troubleshooting aggregation queries for the fleet indexing service
If you are having type mismatch errors, you can use CloudWatch Logs to troubleshoot the problem. CloudWatch Logs must be enabled before logs are written by the Fleet Indexing service. For more information, see [Monitor AWS IoT using CloudWatch Logs](cloud-watch-logs.md).
To make aggregation queries on non-managed fields, you must specify a field you defined in the `customFields` argument passed to `UpdateIndexingConfiguration` or **update-indexing-configuration**. If the field value is inconsistent with the configured field data type, this value is ignored when you perform an aggregation query.
If a field cannot be indexed because of a mismatched type, the Fleet Indexing service sends an error log to CloudWatch Logs. The error log contains the field name, the value that could not be converted, and the thing name for the device. The following is an example error log:
```
{
"timestamp": "2017-02-20 20:31:22.932",
"logLevel": "ERROR",
"traceId": "79738924-1025-3a00-a669-7bec69f7f07a",
"accountId": "000000000000",
"status": "SucceededWithIssues",
"eventType": "IndexingCustomFieldFailed",
"thingName": "thing0",
"failedCustomFields": [
{
"Name": "attributeName1",
"Value": "apple",
"ExpectedType": "String"
},
{
"Name": "attributeName2",
"Value": "2",
"ExpectedType": "Boolean"
}
]
}
```
If a device has been disconnected for approximately an hour, the connectivity status `timestamp` value might be missing. For persistent sessions, the value might be missing after a client has been disconnected longer than the configured time-to-live (TTL) for the persistent session. The connectivity status data is indexed only for connections where the client ID has a matching thing name. (The client ID is the value used to connect a device to AWS IoT Core.)
## Troubleshooting fleet indexing configuration
**Can't downgrade fleet indexing configuration**
Downgrading fleet indexing configuration is not supported when you want to remove the data sources that are associated with a fleet metric or a dynamic group.
For example, if your indexing configuration has registry data, shadow data, and connectivity data, and a fleet metric exists with the query `thingName:TempSensor* AND shadow.desired.temperature>80`, updating the indexing configuration to include only the registry data will result in an error.
Modifying custom fields used by existing fleet metrics is not supported.
**Can't update your indexing configuration due to incompatible fleet metrics or dynamic groups**
If you can't update your indexing configuration due to incompatible fleet metrics or dynamic groups, delete the incompatible fleet metrics or dynamic groups before you update the indexing configuration.
## Troubleshooting location indexing and geoqueries
To troubleshoot mismatched type errors in location indexing and geoqueries, you can enable CloudWatch logs. For more information about how to monitor AWS IoT using CloudWatch, follow [the step-by-step guide](https://docs.aws.amazon.com//iot/latest/developerguide/cloud-watch-logs.html).
When you index location data using geoqueries, the location fields you specify in `geoLocations` must match the location fields you pass to `UpdateIndexingConfiguration`. If there's a mismatch, fleet indexing sends a mismatched type error to CloudWatch. The error log contains the field name, the value that could not be converted, and the thing name for the device.
The following is an example error log:
```
{
"timestamp": "2023-11-09 01:39:43.466",
"logLevel": "ERROR",
"traceId": "79738924-1025-3a00-a669-7bec69f7f07a",
"accountId": "123456789012",
"status": "Failure",
"eventType": "IndexingGeoLocationFieldFailed",
"thingName": "thing0",
"failedGeolocationFields": [
{
"Name": "attributeName1",
"Value": "apple",
"ExpectedType": "Geopoint"
}
],
"reason": "failed to index the field because it could not be converted to one of the expected geoLocation formats."
}
```
For more information, see [Indexing location data](location-indexing-geoquery.md).
## Troubleshooting fleet metrics
**Can't see data points in CloudWatch**
If you're able to create a fleet metric but you can't see data points in CloudWatch, it's likely that you don't have a thing that meets the query string criteria.
See this example command of how to create a fleet metric:
```
aws iot create-fleet-metric --metric-name "example_FM" --query-string "thingName:TempSensor* AND attributes.temperature>80" --period 60 --aggregation-field "attributes.temperature" --aggregation-type name=Statistics,values=count
```
If you don't have a thing that meets the query string criteria `--query-string "thingName:TempSensor* AND attributes.temperature>80"`:
+ With `values=count`, you'll be able to create a fleet metric and there'll be data points to show in CloudWatch. The data points of the value `count` is always 0.
+ With `values` other than `count`, you'll be able to create a fleet metric but you won't see the fleet metric in CloudWatch and there'll be no data points to show in CloudWatch.
# AWS IoT Device Management Software Package Catalog Troubleshooting
This is the troubleshooting section for AWS IoT Device Management Software Package Catalog.
## General Troubleshooting Error Messages
This section lists common errors seen throughout the software package version lifecycle.
**`HeadBucket` errors**
The following error messages appear when calling the [`HeadBucket` API operation](https://docs.aws.amazon.com/AmazonS3/latest/API/API_HeadBucket.html) or [`head-bucket` CLI command](https://docs.aws.amazon.com/cli/latest/reference/s3api/head-bucket.html) to validate the Amazon S3 bucket used for file upload during a job deployment.
For more information on using an Amazon S3 bucket for uploading files during a job deployment, see [Presigned URL for file upload](create-manage-jobs.md#create-manage-jobs-presigned-URLs-upload).
```
InvalidRoleException
"Permission denied when attempting to use role %s to access bucket %s."
```
```
InvalidRequestException
"Cross region S3 bucket is not supported for presigned url upload placeholder"
```
```
InvalidRequestException
"S3 bucket in job document presigned url upload placeholder not found"
```
```
InvalidRequestException
"Given S3 bucket name is invalid."
```
```
InvalidRequestException
"Provided S3 bucket is not valid: %s. Error: %s"
```
**Amazon S3 GetObject**
The following error message occurs when an invalid argument is provided, thus causing the Amazon S3 `GetObject` API operation to fail.
```
InvalidRequestException
"Provided argument for presigned url is invalid"
```
**Amazon S3 Version ID Support**
When requesting access to an Amazon S3 bucket using versioning control, make sure to include your `versionId` or the below error may populate.
For more information on Amazon S3 buckets using versioning control, see [Using versioning in Amazon S3 buckets](https://docs.aws.amazon.com/AmazonS3/latest/userguide/Versioning.html)
```
InvalidRequestException
"VersionId not found when attempting to access s3 url"
```
**Placeholders inside of a Presigned URL for file upload**
The following error messages appear when encountering issues with a placeholder inside of a presigned URL used for uploading files to a destination Amazon S3 bucket during a job deployment. For more information on using an Amazon S3 bucket for uploading files during a job deployment and what a local placeholder is, see [Presigned URL for file upload](create-manage-jobs.md#create-manage-jobs-presigned-URLs-upload).
The below error message appears when the local placeholder is not recognized.
```
InvalidJobDocumentException
"Undefined placeholder, ${...}, inside of presign url upload parameter"
```
The below error message appears when attempting to use the local placeholder in a presigned URL not meant for file upload.
```
InvalidJobDocumentException
"Local placeholder, ${...}, is only valid inside of presign url upload"
```
**Amazon S3 URL Nested Incorrectly**
The following error message appears when the Amazon S3 URL is incorrectly nested inside of another placeholder.
```
InvalidJobDocumentException
"${aws:%s[...]} should not be the second layer pattern."
```
**Package Version Artifact Nesting**
The following error message appears when the package version artifact presigned URL is incorrectly nested inside of another placeholder.
```
InvalidJobDocumentException
"${aws:iot:package:[...]:artifact:s3-presigned-url} cannot be nested inside another placeholder."
```
**Missing Package Version Artifact**
The following error message appears when the referenced package version artifact is not found.
```
InvalidJobDocumentException
"Package %s version %s does not have an associated artifact to generate an S3 presigned url."
```
**Software Package and Package Verion Placeholders**
The following error message appears when the job document placeholder for software package and package version can't resolve to the desired valid values for the job deployment due to multiple software packages and package versions referenced in the `destinationPackageVersions` parameter or the *Version ARN* tab on the *Package Version* details page.
```
InvalidJobDocumentException
"Cannot resolve empty package name and version name given multiple elements in destination package versions."
```
**Using Empty Software Package and Package Version**
The following error message appears when you attempt to attempt to use an empty package or package version without the other in a job document.
```
InvalidJobDocumentException
"Empty package name and version name have to be used in pair."
```
**Null Use in Job Document**
The following error message appears when you attempt to specify `$null` as a package version in the job document. `$null` can only be used inside of the `destinationPackageVersions` parameter when using the `CreateJob` API operation.
```
InvalidJobDocumentException
"$null is not allowed to be referenced as a package version in job documents."
```
**All Attributes in a Package Version**
The following error message appears when you attempt to use all attributes in a package version and surround it with additional text or placeholders.
For more information on using all attributes in a software package version, see [Substitution parameters for AWS IoT jobs](preparing-jobs-for-service-package-catalog.md#substitution-parameters)
```
InvalidJobDocumentException
"The package version attribute placeholder for all attributes has to be a json value by itself and not appended with other strings or nested with other placeholders."
```
**Local Placeholder Limit in Presigned URL for File Upload**
The following error message appears when you exceed the limit for number of local placeholders used in a presigned URL for file upload during a job deployment.
For more information on using a presigned URL for file upload during a job deployment, see [Presigned URL for file upload](create-manage-jobs.md#create-manage-jobs-presigned-URLs-upload)
```
InvalidJobDocumentException
"The occurrence of local placeholder %s within S3 presigned url upload placeholder exceeds limit of %d."
```
**Local Placeholders in an Amazon S3 Bucket**
The following error message appears when you attempt to place a local placeholder URL in the Amazon S3 bucket name for a presigned URL placeholder used for file upload during a job deployment.
For more information on using a presigned URL for file upload during a job deployment, see [Presigned URL for file upload](create-manage-jobs.md#create-manage-jobs-presigned-URLs-upload)
```
InvalidJobDocumentException
"S3 bucket name in presigned url upload is not allowed to contain any placeholders"
```
**Opening and Closing Brackets**
The following error message appears when you add a parameter or placeholder to a job document without a closing brace "\$1".
```
InvalidJobDocumentException
"One or more parameters or placeholders are not terminated."
```
**IAM role with Amazon S3 Presigned URL**
The following error message appears when you attempt to use an Amazon S3 presigned URL in a job document without an IAM role.
For more information on Amazon S3 presigned URLs, see [Working with presigned URLs](https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-presigned-url.html).
```
InvalidRequestException
"presignedUrlConfig role ARN is required to generate an S3 presigned url in job document."
```
**IAM role with Amazon S3 Presigned URL for Package Version Artifact**
The following error message appears when you attempt to use an Amazon S3 presigned URL representing a package version artifact in a job document without an IAM role.
```
InvalidRequestException
"presignedUrlConfig role ARN is required to generate an S3 presigned url in job document for package %s version %s artifact."
```
## Software Bill of Materials Error Messages
This section lists common errors associated with a software bill of materials (SBOM) linked to a package version.
**Input Validation for SBOM Association Request**
The following error message appears when using the `AssociateSbomWithPackageVersion` API operation and the `s3Location` parameter is null.
```
InvalidRequestException "Associate request needs to include SBOM reference"
```
For more information on the `AssociateSbomWithPackageVersion` API operation, see [AssociateSbomWithPackageVersion](https://amazonaws.com/iot/latest/apireference/API_AssociateSbomWithPackageVersion.html).
**SBOM Validation Errors**
This section lists common errors seen during the initial validaiton of the software bill of materials (SBOM) when associated with a software package version.
The following error message appears when using the `AssociateSbomWithPackageVersion` API operation and `bucket` in the `s3Location` parameter is null.
```
InvalidRequestException "S3 bucket name for SBOM cannot be null"
```
The following error message appears when the string in `bucket` in the `s3Location` parameter for the `AssociateSbomWithPackageVersion` API operation is too long.
```
InvalidRequestException "S3 bucket name for SBOM is illegal. String length exceeds limit"
```
The following error message appears when the `key` parameter is null.
```
InvalidRequestException "S3 key name for SBOM cannot be null"
```
The following error message appears when the string in `key` in the `s3Location` parameter for the `AssociateSbomWithPackageVersion` API operation is too long.
```
InvalidRequestException "S3 key name for SBOM is illegal. String length exceeds limit"
```
The following error message appears when the string in `version` in the `s3Location` parameter for the `AssociateSbomWithPackageVersion` API operation is null.
```
InvalidRequestException "S3 object version for SBOM cannot be null"
```
The following error message appears when the string in `version` in the `s3Location` parameter for the `AssociateSbomWithPackageVersion` API operation is too long.
```
InvalidRequestException "S3 object version for SBOM is illegal. String length exceeds limit"
```
The following error message appears when the the size of the SBOM zip archive file stored in the Amazon S3 bucket is too big.
```
InvalidRequestException "S3 object file size exceeds limit"
```
The following error message appears when you use the `AssociateSbomWithPackageVersion` API operation and the current number of SBOM validations in progress is already at the maximum limit.
```
LimitExceededException "Too many ongoing SBOM validation workflows. Please wait and retry"
```
**Access Issues with SBOM File in Amazon S3 bucket**
The following error message appears when another entity fails to access the Amazon S3 bucket due to the Amazon S3 bucket not existing or the proper permissions have not been granted for accessing the Amazon S3 bucket.
For more information on the required permissions policy for accessing the Amazon S3 bucket, see [Software Bill of Materials Storage](preparing-to-use-software-package-catalog.md#spc-sbom-storage).
```
InvalidRequestException "SBOM not accessible by the service. Please make sure the bucket exists and S3 permission is granted."
```
The following error message appears when another entity fails to access the SBOM zip archive file in the `key` parameter due to the Amazon S3 bucket not existing or the proper permissions have not been granted for accessing content stored in the Amazon S3 bucket.
```
InvalidRequestException "SBOM not accessible by the service. Please make sure the key exists and S3 permission is granted."
```
The following error message appears when another entity fails to access the Amazon S3 bucket due to the bucket, key, and version ID not existing or the proper permissions have not been granted for accessing the Amazon S3 bucket. Additionally, this error message can appear if the permissions granted are insufficient for accessing the SBOM zip archive file in the Amazon S3 bucket.
```
InvalidRequestException "SBOM not accessible by the service. Please make sure the bucket/key/version exists and S3 permission is granted."
```
The following error message appears when another entity fails to access the Amazon S3 bucket due to the bucket being located in another region.
```
InvalidRequestException "Cross-region S3 bucket for %s is not supported."
```
The following error message appears when another entity fails to access the Amazon S3 bucket due to the `bucket`, `key`, or `version` parameters being spelled incorrectly when using the `AssociateSbomWithPackageVersion` API operation.
```
InvalidRequestException "Please make sure SBOM S3 bucket name/key length/version is valid"
```
# AWS IoT Device Advisor troubleshooting guide
**Help us improve this topic**
[Let us know what would help make it better](https://docs.aws.amazon.com//forms/aws-doc-feedback?hidden_service_name=IoT%20Docs&topic_url=http://docs.aws.amazon.com/en_us/iot/latest/developerguide/device-advisor-troubleshooting.html) General
Q: Can I run multiple test suites in parallel?
A: Yes. Device Advisor now supports running multiple test suites on different devices using a Device-level endpoint. If you use the Account-level endpoint, you can run one suite at a time because one Device Advisor endpoint is available per account. For more information see [ Configure your device](https://docs.aws.amazon.com/iot/latest/developerguide/device-advisor-setting-up.html#da-configure-device).
Q: I saw from my device that the TLS connection was denied by Device Advisor. Is this expected?
A: Yes. Device Advisor denies the TLS connection before and after each test run. We recommend that users implement a device retry mechanism to have a fully automated testing experience with Device Advisor. If you execute a test suite with more than one test case, for example TLS connect, MQTT connect, and MQTT publish, then we recommend that you have a mechanism built for your device. The mechanism can try to connect to our test endpoint every 5 seconds for a minute to two. In this way you can run multiple test cases in sequence in an automated manner.
Q: Can I get a history of Device Advisor API calls made on my account for security analysis and operational troubleshooting purposes?
A: Yes. To receive a history of Device Advisor API calls made on your account, you simply turn on CloudTrail in the AWS IoT Management Console and filter the event source to be `iotdeviceadvisor.amazonaws.com`.
Q: How do I view Device Advisor logs in CloudWatch?
A: Logs generated during a test suite run are uploaded to CloudWatch if you add the required policy (for example, **CloudWatchFullAccess**) to your service role (see [Setting up](device-advisor-setting-up.md)). If there is at least one test case in the test suite, a log group "aws/iot/deviceadvisor/\$1testSuiteId" is created with two log streams. One stream is the "\$1testRunId" and includes logs of actions taken before and after executing the test cases in your test suite, such as setup and cleanup steps. The other log stream is "\$1suiteRunId\$1\$1testRunId," which is specific to a test suite run. Events sent from devices and AWS IoT Core will be logged to this log stream.
Q: What is the purpose of the device permission role?
A: Device Advisor stands between your test device and AWS IoT Core to simulate test scenarios. It accepts connections and messages from your test devices and forwards them to AWS IoT Core by assuming your device permission role and initiating a connection on your behalf. It’s important to make sure the device role permissions are the same as those on the certificate you use for running tests. AWS IoT certificate policies are not enforced when Device Advisor initiates a connection to AWS IoT Core on your behalf by using the device permission role. However, the permissions from the device permission role you set are enforced.
Q: In what Regions is Device Advisor supported?
A: Device Advisor is supported in us-east-1, us-west-2, ap-northeast-1, and eu-west-1 Regions.
Q: Why do I see inconsistent results?
A: One of the primary causes of inconsistent results is setting a test's `EXECUTION_TIMEOUT` to a value that is too low. For more information about recommended and default `EXECUTION_TIMEOUT` values, see [Device Advisor test cases](https://docs.aws.amazon.com//iot/latest/developerguide/device-advisor-tests.html).
Q: What MQTT protocol does Device Advisor support?
A: Device Advisor supports MQTT Version 3.1.1 with X509 client certificates.
Q: What if my test case failed with an execution timed out message even though I tried to connect my device to the test endpoint?
A: Validate all the steps under [ Create an IAM role to be used as your device role](https://docs.aws.amazon.com//iot/latest/developerguide/device-advisor-setting-up.html#da-iam-role). If the test still fails, it could be that the device is not sending the correct Server Name Indication (SNI) extension, which is required for Device Advisor to work. The correct SNI value is the endpoint address returned when following the [ Configure your device section](https://docs.aws.amazon.com//iot/latest/developerguide/device-advisor-setting-up.html#da-configure-device). AWS IoT also requires devices to send the Server Name Indication (SNI) extension to the Transport Layer Security (TLS) protocol. For more information, see [Transport security in AWS IoT](https://docs.aws.amazon.com//iot/latest/developerguide/transport-security.html).
Q: My MQTT connection fails with an "libaws-c-mqtt: AWS\$1ERROR\$1MQTT\$1UNEXPECTED\$1HANGUP" error (or) my device’s MQTT connection is being automatically disconnected from the Device Advisor endpoint. How can this error be resolved?
A: This particular error code and unexpected disconnections can be caused by many different things, but is most likely related to the [device role](https://docs.aws.amazon.com/iot/latest/developerguide/device-advisor-setting-up.html#da-iam-role) attached to the device. The below checkpoints (in order of priority) will resolve this issue.
+ The device role attached to the device must have the minimum IAM permissions required to run the tests. Device Advisor will use the attached device role to perform AWS IoT MQTT actions on behalf of the test device. If required permissions are absent, then the `AWS_ERROR_MQTT_UNEXPECTED_HANGUP` error will be seen or unexpected disconnections will happen while the device tries to connect to Device Advisor endpoint. For example, if you selected to run the **MQTT Publish** test case, both Connect and Publish actions must be included in the role with the corresponding ClientId and Topic (you can provide multiple values by using commas to separate the values, and you can provide prefix values using a wildcard (\$1) character. For example: To provide permissions to publish on any topic beginning with `TestTopic`, you can provide "`TestTopic*`” as the resource value. Here are some [ examples of policies](https://docs.aws.amazon.com/iot/latest/developerguide/example-iot-policies.html).
+ Mismatch between the values defined in the device role for your resource types and the actual values used in code. For example: A mismatch in ClientId defined in the role and the actual ClientId used in your device code. Values like ClientId, Topic, and TopicFilter must be identical in the device role and code.
+ The device certificate attached to your device must be active and have a [policy](https://docs.aws.amazon.com//iot/latest/developerguide/certificate-policy-examples.html) attached to it with the required [ action permissions](https://docs.aws.amazon.com//iot/latest/developerguide/iot-policy-actions.html) for [resources](https://docs.aws.amazon.com//iot/latest/developerguide/iot-action-resources.html). Note that, the device certificate policy grants or denies access to AWS IoT resources and AWS IoT Core data plane operations. Device Advisor requires you to have an active device certificate attached to your device which grants the action permissions used during a test case.
# AWS IoT errors
**Help us improve this topic**
[Let us know what would help make it better](https://docs.aws.amazon.com//forms/aws-doc-feedback?hidden_service_name=IoT%20Docs&topic_url=http://docs.aws.amazon.com/en_us/iot/latest/developerguide/iot-errors.html)
This section lists the error codes sent by AWS IoT.
**Message broker error codes**
| Error code | Error description |
| --- | --- |
| 400 | Bad request. |
| 401 | Unauthorized. |
| 403 | Forbidden. |
| 426 | Upgrade required. |
| 503 | Service unavailable. |
**Identity and security error codes**
| Error code | Error description |
| --- | --- |
| 401 | Unauthorized. |
**Device shadow error codes**
| Error code | Error description |
| --- | --- |
| 400 | Bad request. |
| 401 | Unauthorized. |
| 403 | Forbidden. |
| 404 | Not found. |
| 409 | Conflict. |
| 413 | Request too large. |
| 422 | Failed to process request. |
| 429 | Too many requests. |
| 500 | Internal error. |
| 503 | Service unavailable. |