I have an IoT core policy on a certificate where I'm trying to allow subscribe access to all topics under the 'thing-name", but I continuously get errors on the greengrass client about subscribing to these nodes UNLESS i open up the Resource to "*".
I can't see what is wrong with the policy I have below
{
"Effect": "Allow",
"Action": [
"iot:Subscribe"
],
"Resource": [
"arn:aws:iot:ap-southeast-2:xxxx:topicfilter/$aws/things/${iot:Connection.Thing.ThingName}/jobs/#",
"arn:aws:iot:ap-southeast-2:xxxx:topicfilter/$aws/things/${iot:Connection.Thing.ThingName}/shadow/#",
"arn:aws:iot:ap-southeast-2:xxxx:topicfilter/$aws/things/${iot:Connection.Thing.ThingName}/tunnels/#",
"arn:aws:iot:ap-southeast-2:xxxx:topicfilter/abc/${iot:Connection.Thing.ThingName}/#"
]
},
On the device
023-11-02T05:02:50.314Z [ERROR] (AwsEventLoop 3) com.aws.greengrass.mqttclient.AwsIotMqtt5Client: Error subscribing to topic. {clientId=12345678, topic=$aws/things/12345678/shadow/name/AWSManagedGreengrassV2Deployment/update/accepted, reasonCode=135}
2023-11-02T05:02:50.354Z [ERROR] (AwsEventLoop 3) com.aws.greengrass.mqttclient.AwsIotMqtt5Client: Error subscribing to topic. {clientId=12345678, topic=$aws/things/12345678/jobs/$next/namespace-aws-gg-deployment/get/rejected, reasonCode=135}
2023-11-02T05:02:50.393Z [ERROR] (AwsEventLoop 3) com.aws.greengrass.mqttclient.AwsIotMqtt5Client: Error subscribing to topic. {clientId=12345678, topic=$aws/things/12345678/shadow/name/AWSManagedGreengrassV2Deployment/update/rejected, reasonCode=135}
2023-11-02T05:02:50.434Z [ERROR] (AwsEventLoop 3) com.aws.greengrass.mqttclient.AwsIotMqtt5Client: Error subscribing to topic. {clientId=12345678, topic=$aws/things/12345678/jobs/notify-namespace-aws-gg-deployment, reasonCode=135}
2023-11-02T05:02:50.474Z [ERROR] (AwsEventLoop 3) com.aws.greengrass.mqttclient.AwsIotMqtt5Client: Error subscribing to topic. {clientId=12345678, topic=$aws/things/12345678/shadow/name/AWSManagedGreengrassV2Deployment/get/accepted, reasonCode=135}
2023-11-02T05:03:04.189Z [ERROR] (AwsEventLoop 3) com.aws.greengrass.mqttclient.AwsIotMqtt5Client: Error subscribing to topic. {clientId=12345678, topic=$aws/things/12345678/tunnels/notify, reasonCode=135}
2023-11-02T05:03:13.936Z [ERROR] (AwsEventLoop 3) com.aws.greengrass.mqttclient.AwsIotMqtt5Client: Error subscribing to topic. {clientId=12345678, topic=abc/12345678/v1/video/#, reasonCode=135}
2023-11-02T05:05:12.183Z [ERROR] (AwsEventLoop 3) com.aws.greengrass.mqttclient.AwsIotMqtt5Client: Error subscribing to topic. {clientId=12345678, topic=$aws/things/12345678/tunnels/notify, reasonCode=135}
Hi Greg_B - No, this is just anonymised, but it's an exact match for the Thing name in the IoT core registry. What I found was that if I put a '*' in place of the '#' that the permissions worked - but this seems to contravene the AWS documentation I can find. I'm still confused as to what is the correct policy specification.
Oh I see. I thought you meant replacing the policy variable with '*'. The problem is that '#' is not a valid wildcard character in an IoT policy: https://docs.aws.amazon.com/iot/latest/developerguide/pub-sub-policy.html#pub-sub-policy-cert
To add to Greg's answer, wildcards differ based if used in an IoT (or IAM) policy vs within the MQTT protocol.
#
and+
are literal interpretations in IoT policies, while*
will be a greedy wildcard. To limit access, check out the available variables. If your certificate is attached to athingName
, that variable can be used, or you could use X.509 subject attributes too such ascn
/o
/ou
.Thanks for that I must have been reading this wrong