Preparations

Please ensure that the following steps are completed to prepare for troubleshooting

Step 1: Configure logging

To monitor AWS IoT activity you should enable logging.

Create a logging role

Ensure to have a logging role with the following trust policy:

{
     "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "",
          "Effect": "Allow",
          "Principal": {
            "Service": [
            "iot.amazonaws.com",
            "iotwireless.amazonaws.com"
            ]
          },
          "Action": "sts:AssumeRole"
        }
      ]
}

Example policy for the logging role:

{
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "logs:CreateLogGroup",
                    "logs:CreateLogStream",
                    "logs:PutLogEvents",
                    "logs:PutMetricFilter",
                    "logs:PutRetentionPolicy"
                 ],
                "Resource": [
                    "arn:aws:logs:*:*:log-group:/aws/iotwireless*",
                    "arn:aws:logs:*:*:log-group:/aws/iot*"
                ]
            }
        ]
    }

Enable debug logging

aws iot set-v2-logging-options \
    --role-arn logging-role-arn \
    --no-disable-all-logs \
    --default-log-level log-level

View logs

Please view AWS Cloudwatch logs in Log Groups /aws/iotwireless and AWSIotLogsV2

Step 2: Ensure that the IAM role for AWS IoT Core for LoRaWAN destinations exists and has the right policies assigned

Please use AWS IAM to add an IAM role with the following configuration:

Trust relationship

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "iotwireless.amazonaws.com"
        ]
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Permissions
Role permissions will depend on your use-cases, however they should at least contain the permission to publish to an IoT topic:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "iot:Publish"
            ],
            "Resource": [
                "arn:aws:iot:<region>:<your account id>:topic/*"
            ]
        }
    ]
}

Please adjust the policy according to your use case following a least privilege principle.

Step 3: ensure that IoTWirelessGatewayCertManagerRole IAM role exists and has correct policies assigned

See instructions here for a description of the steps to verify role existence and create the role.