Usando AWS re:Post, accetti AWS re:Post Termini di utilizzo
AWS re:Postre:Post

Policy Thing Problem

0

Dear all, I am facing an issue with the thing policies, I need to have a restriction in the publish and subscribe resources such that the thing name must be included and to have the resources of the action IoT:Connect to be a , the problem is that if I use the policy version 2 s mentioned nothing would be published unless the client_ID that I am using matches the Thing name which is not my intentions, I need to have a a flexible client_ID not restricted to thing name while restricting the topics to publish and subscribe from them to the thing name since I am interested in having two codes or two clients that publish on to the same topic and can read data from each other. If i leave everything without restriction as policy3 it works but I need to have certain restrictions how can I solve this issue: Policy Version 1: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "iot:Connect", "Resource": "arn:aws:iot:eu-central-1:624671744366:client/${iot:Connection.Thing.ThingName}" }, { "Effect": "Allow", "Action": [ "iot:Publish", "iot:Receive" ], "Resource": [ "arn:aws:iot:eu-central-1:624671744366:topic/${iot:Connection.Thing.ThingName}/" ] }, { "Effect": "Allow", "Action": "iot:Subscribe", "Resource": [ "arn:aws:iot:eu-central-1:624671744366:topicfilter/${iot:Connection.Thing.ThingName}/" ] } ] } Policy Version 2: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "iot:Connect", "Resource": "" }, { "Effect": "Allow", "Action": [ "iot:Publish", "iot:Receive" ], "Resource": "arn:aws:iot:eu-central-1:624671744366:topic/${iot:Connection.Thing.ThingName}/" }, { "Effect": "Allow", "Action": "iot:Subscribe", "Resource": "arn:aws:iot:eu-central-1:624671744366:topicfilter/${iot:Connection.Thing.ThingName}/" } ] } Policy Version 3: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "iot:Connect", "Resource": "" }, { "Effect": "Allow", "Action": [ "iot:Publish", "iot:Receive" ], "Resource": "" }, { "Effect": "Allow", "Action": "iot:Subscribe", "Resource": "*" } ] }

Argomenti
Internet delle cose (IoT)
Tag
AWS IoT Core
Lingua
English
Mohamed Smaili
posta un mese fa96 visualizzazioni
2 Risposte
1

Please Check once below policy,

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "iot:Connect",
            "Resource": ""
        },
        {
            "Effect": "Allow",
            "Action": [
                "iot:Publish",
                "iot:Receive"
            ],
            "Resource": "arn:aws:iot:eu-central-1:624671744366:topic/${iot:Connection.Thing.ThingName}/"
        },
        {
            "Effect": "Allow",
            "Action": "iot:Subscribe",
            "Resource": "arn:aws:iot:eu-central-1:624671744366:topicfilter/${iot:Connection.Thing.ThingName}/"
        }
    ],
    "Condition": {
        "StringEquals": {
            "iot:ClientId": "${iot:Connection.Thing.ThingName}"
        }
    }
}
Thanniru Anil Kumar
con risposta un mese fa
0

Hi. Please see here in regards to the thing name policy variable: https://docs.aws.amazon.com/iot/latest/developerguide/thing-policy-variables.html

The thing name is obtained from the client ID in the MQTT Connect message sent when a thing connects to AWS IoT Core.

When you're replacing thing names with thing policy variables, the value of clientId in the MQTT connect message or the TLS connection must exactly match the thing name.

So it's currently not possible to use that policy variable and "have a flexible client_ID not restricted to thing name".

profile pictureAWS
ESPERTO
Greg_B
con risposta 25 giorni fa

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande

Contenuto pertinente