By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Policy Thing Problem

0

Dear all, I am facing an issue with the thing policies, I need to have a restriction in the publish and subscribe resources such that the thing name must be included and to have the resources of the action IoT:Connect to be a , the problem is that if I use the policy version 2 s mentioned nothing would be published unless the client_ID that I am using matches the Thing name which is not my intentions, I need to have a a flexible client_ID not restricted to thing name while restricting the topics to publish and subscribe from them to the thing name since I am interested in having two codes or two clients that publish on to the same topic and can read data from each other. If i leave everything without restriction as policy3 it works but I need to have certain restrictions how can I solve this issue: Policy Version 1: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "iot:Connect", "Resource": "arn:aws:iot:eu-central-1:624671744366:client/${iot:Connection.Thing.ThingName}" }, { "Effect": "Allow", "Action": [ "iot:Publish", "iot:Receive" ], "Resource": [ "arn:aws:iot:eu-central-1:624671744366:topic/${iot:Connection.Thing.ThingName}/" ] }, { "Effect": "Allow", "Action": "iot:Subscribe", "Resource": [ "arn:aws:iot:eu-central-1:624671744366:topicfilter/${iot:Connection.Thing.ThingName}/" ] } ] } Policy Version 2: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "iot:Connect", "Resource": "" }, { "Effect": "Allow", "Action": [ "iot:Publish", "iot:Receive" ], "Resource": "arn:aws:iot:eu-central-1:624671744366:topic/${iot:Connection.Thing.ThingName}/" }, { "Effect": "Allow", "Action": "iot:Subscribe", "Resource": "arn:aws:iot:eu-central-1:624671744366:topicfilter/${iot:Connection.Thing.ThingName}/" } ] } Policy Version 3: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "iot:Connect", "Resource": "" }, { "Effect": "Allow", "Action": [ "iot:Publish", "iot:Receive" ], "Resource": "" }, { "Effect": "Allow", "Action": "iot:Subscribe", "Resource": "*" } ] }

Topics
Internet of Things (IoT)
Tags
AWS IoT Core
Language
English
Mohamed Smaili
asked 12 days ago86 views
2 Answers
0

Please Check once below policy,

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "iot:Connect",
            "Resource": ""
        },
        {
            "Effect": "Allow",
            "Action": [
                "iot:Publish",
                "iot:Receive"
            ],
            "Resource": "arn:aws:iot:eu-central-1:624671744366:topic/${iot:Connection.Thing.ThingName}/"
        },
        {
            "Effect": "Allow",
            "Action": "iot:Subscribe",
            "Resource": "arn:aws:iot:eu-central-1:624671744366:topicfilter/${iot:Connection.Thing.ThingName}/"
        }
    ],
    "Condition": {
        "StringEquals": {
            "iot:ClientId": "${iot:Connection.Thing.ThingName}"
        }
    }
}
Thanniru Anil Kumar
answered 12 days ago
0

Hi. Please see here in regards to the thing name policy variable: https://docs.aws.amazon.com/iot/latest/developerguide/thing-policy-variables.html

The thing name is obtained from the client ID in the MQTT Connect message sent when a thing connects to AWS IoT Core.

When you're replacing thing names with thing policy variables, the value of clientId in the MQTT connect message or the TLS connection must exactly match the thing name.

So it's currently not possible to use that policy variable and "have a flexible client_ID not restricted to thing name".

profile pictureAWS
EXPERT
Greg_B
answered 11 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content